Overview

File _patchinfo of Package patchinfo.22942

<patchinfo incident="22942">
  <issue tracker="cve" id="2021-3807"/>
  <issue tracker="cve" id="2021-3918"/>
  <issue tracker="cve" id="2021-23343"/>
  <issue tracker="cve" id="2021-32803"/>
  <issue tracker="cve" id="2021-32804"/>
  <issue tracker="cve" id="2022-21824"/>
  <issue tracker="cve" id="2021-44906"/>
  <issue tracker="cve" id="2021-44907"/>
  <issue tracker="cve" id="2022-0235"/>
  <issue tracker="bnc" id="1192154">VUL-0: CVE-2021-3807: nodejs12,nodejs4,nodejs6,nodejs8,nodejs10,nodejs14: node-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes</issue>
  <issue tracker="bnc" id="1192153">VUL-0: CVE-2021-23343: nodejs4,nodejs8,nodejs6,nodejs10,nodejs14,nodejs12: node-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe</issue>
  <issue tracker="bnc" id="1194514">VUL-1: CVE-2022-21824: nodejs10,nodejs12,nodejs14,nodejs16,nodejs: Prototype pollution via console.table properties</issue>
  <issue tracker="bnc" id="1191962">VUL-0: CVE-2021-32804: nodejs12,nodejs8,nodejs14,nodejs4,nodejs10,nodejs6: node-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite</issue>
  <issue tracker="bnc" id="1191963">VUL-0: CVE-2021-32803: nodejs14,nodejs12,nodejs6,nodejs4,nodejs10,nodejs8: node-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite</issue>
  <issue tracker="bnc" id="1192696">VUL-0: CVE-2021-3918: nodejs14, nodejs10, nodejs12, nodejs8: json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')</issue>
  <issue tracker="bnc" id="1198247">VUL-0: CVE-2021-44906: nodejs14,nodejs10,nodejs4,nodejs8,nodejs12,nodejs6: minimist: prototype pollution</issue>
  <issue tracker="bnc" id="1197283">VUL-1: CVE-2021-44907: nodejs14,nodejs12,nodejs10,nodejs8,nodejs6,nodejs4,nodejs16: potential Denial of Service vulnerability in qs due to insufficient sanitization of property in the gs.parse function</issue>
  <issue tracker="bnc" id="1194819">VUL-0: CVE-2022-0235: nodejs10,nodejs12,nodejs8,nodejs6,nodejs4,nodejs14: node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor</issue>
  <packager>adamm</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for nodejs10</summary>
  <description>This update for nodejs10 fixes the following issues:

- CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153).
- CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite (bsc#1191963).
- CVE-2021-32804: Fixed insufficient absolute path sanitization in node-tar allowing arbitrary file creation and overwrite (bsc#1191962).
- CVE-2021-3918: Fixed improper controlled modification of object prototype attributes in json-schema (bsc#1192696).
- CVE-2021-3807: Fixed regular expression denial of service (ReDoS) matching ANSI escape codes in node-ansi-regex (bsc#1192154).
- CVE-2022-21824: Fixed prototype pollution via console.table (bsc#1194514).
- CVE-2021-44906: Fixed prototype pollution in npm dependency (bsc#1198247).
- CVE-2021-44907: Fixed insuficient sanitation in npm dependency (bsc#1197283).
- CVE-2022-0235: Fixed passing of cookie data and sensitive headers to different hostnames in node-fetch-npm (bsc#1194819).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places