Security update for nodejs14

Announcement ID:	SUSE-SU-2021:3964-1
Rating:	important
References:	bsc#1190053 bsc#1190054 bsc#1190055 bsc#1190056 bsc#1190057 bsc#1191601 bsc#1191602
Cross-References:	CVE-2021-22959 CVE-2021-22960 CVE-2021-37701 CVE-2021-37712 CVE-2021-37713 CVE-2021-39134 CVE-2021-39135
CVSS scores:	CVE-2021-22959 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-22959 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2021-22960 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-22960 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2021-37701 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVE-2021-37701 ( NVD ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2021-37712 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVE-2021-37712 ( NVD ): 8.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVE-2021-37713 ( SUSE ): 8.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVE-2021-37713 ( NVD ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2021-39134 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVE-2021-39134 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-39135 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVE-2021-39135 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.1 SUSE Manager Server 4.2 Web and Scripting Module 15-SP2 Web and Scripting Module 15-SP3

An update that solves seven vulnerabilities can now be installed.

Description:

This update for nodejs14 fixes the following issues:

nodejs14 was updated to 14.18.1:

• deps: update llhttp to 2.1.4

• HTTP Request Smuggling due to spaced in headers (bsc#1191601, CVE-2021-22959)

• HTTP Request Smuggling when parsing the body (bsc#1191602, CVE-2021-22960)

Changes in 14.18.0:

• buffer:

  • introduce Blob
  • add base64url encoding option

• child_process:

  • allow options.cwd receive a URL
  • add timeout to spawn and fork
  • allow promisified exec to be cancel
  • add 'overlapped' stdio flag

• dns: add "tries" option to Resolve options

• fs:

  • allow empty string for temp directory prefix
  • allow no-params fsPromises fileHandle read
  • add support for async iterators to fsPromises.writeFile

• http2: add support for sensitive headers

• process: add 'worker' event
• tls: allow reading data into a static buffer
• worker: add setEnvironmentData/getEnvironmentData

Changes in 14.17.6

• deps: upgrade npm to 6.14.15 which fixes a number of security issues (bsc#1190057, CVE-2021-37701, bsc#1190056, CVE-2021-37712, bsc#1190055, CVE-2021-37713, bsc#1190054, CVE-2021-39134, bsc#1190053, CVE-2021-39135)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Web and Scripting Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP2-2021-3964=1
• Web and Scripting Module 15-SP3
  zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP3-2021-3964=1

Package List:

• Web and Scripting Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • nodejs14-debuginfo-14.18.1-15.21.2
  • nodejs14-devel-14.18.1-15.21.2
  • nodejs14-debugsource-14.18.1-15.21.2
  • npm14-14.18.1-15.21.2
  • nodejs14-14.18.1-15.21.2
• Web and Scripting Module 15-SP2 (noarch)
  • nodejs14-docs-14.18.1-15.21.2
• Web and Scripting Module 15-SP3 (aarch64 ppc64le s390x x86_64)
  • nodejs14-debuginfo-14.18.1-15.21.2
  • nodejs14-devel-14.18.1-15.21.2
  • nodejs14-debugsource-14.18.1-15.21.2
  • npm14-14.18.1-15.21.2
  • nodejs14-14.18.1-15.21.2
• Web and Scripting Module 15-SP3 (noarch)
  • nodejs14-docs-14.18.1-15.21.2

References:

• https://www.suse.com/security/cve/CVE-2021-22959.html
• https://www.suse.com/security/cve/CVE-2021-22960.html
• https://www.suse.com/security/cve/CVE-2021-37701.html
• https://www.suse.com/security/cve/CVE-2021-37712.html
• https://www.suse.com/security/cve/CVE-2021-37713.html
• https://www.suse.com/security/cve/CVE-2021-39134.html
• https://www.suse.com/security/cve/CVE-2021-39135.html
• https://bugzilla.suse.com/show_bug.cgi?id=1190053
• https://bugzilla.suse.com/show_bug.cgi?id=1190054
• https://bugzilla.suse.com/show_bug.cgi?id=1190055
• https://bugzilla.suse.com/show_bug.cgi?id=1190056
• https://bugzilla.suse.com/show_bug.cgi?id=1190057
• https://bugzilla.suse.com/show_bug.cgi?id=1191601
• https://bugzilla.suse.com/show_bug.cgi?id=1191602