Overview

File _patchinfo of Package patchinfo.34773

<patchinfo incident="34773">
  <issue tracker="cve" id="2024-27980"/>
  <issue tracker="cve" id="2024-22020"/>
  <issue tracker="cve" id="2024-36138"/>
  <issue tracker="bnc" id="1227560">VUL-0: CVE-2024-36138: nodejs: bypass incomplete fix of CVE-2024-27980</issue>
  <issue tracker="bnc" id="1222665">VUL-0: CVE-2024-27980: nodejs16,nodejs18,nodejs20: Command injection via args parameter of child_process.spawn without shell option enabled on Windows</issue>
  <issue tracker="bnc" id="1227554">VUL-0: CVE-2024-22020: nodejs: bypass network import restriction via data URL</issue>
  <packager>adamm</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for nodejs18</summary>
  <description>This update for nodejs18 fixes the following issues:

Update to 18.20.4:

- CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
- CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)

Changes in 18.20.3:

- This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections.
  deps:
  - acorn updated to 8.11.3.
  - acorn-walk updated to 8.3.2.
  - ada updated to 2.7.8.
  - c-ares updated to 1.28.1.
  - corepack updated to 0.28.0.
  - nghttp2 updated to 1.61.0.
  - ngtcp2 updated to 1.3.0.
  - npm updated to 10.7.0. Includes a fix from npm@10.5.1 to limit the number of open connections npm/cli#7324.
  - simdutf updated to 5.2.4.

Changes in 18.20.2:

- CVE-2024-27980: Fixed command injection via args parameter of child_process.spawn without shell option enabled on Windows (bsc#1222665)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places