Overview

File _patchinfo of Package patchinfo.34775

<patchinfo incident="34775">
  <issue tracker="cve" id="2024-22020"/>
  <issue tracker="cve" id="2024-36138"/>
  <issue tracker="cve" id="2024-36137"/>
 <issue tracker="cve" id="2024-27980"/>
  <issue tracker="cve" id="2024-37372"/>
  <issue tracker="cve" id="2024-22018"/>
  <issue tracker="bnc" id="1227561">VUL-0: CVE-2024-36137: nodejs: fs.fchown/fchmod bypasses permission model</issue>
  <issue tracker="bnc" id="1227554">VUL-0: CVE-2024-22020: nodejs: bypass network import restriction via data URL</issue>
  <issue tracker="bnc" id="1227563">VUL-0: CVE-2024-37372: nodejs: permission model improperly processes UNC paths</issue>
  <issue tracker="bnc" id="1227560">VUL-0: CVE-2024-36138: nodejs: bypass incomplete fix of CVE-2024-27980</issue>
  <issue tracker="bnc" id="1227562">VUL-0: CVE-2024-22018: nodejs: fs.lstat bypasses permission model</issue>
  <packager>adamm</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for nodejs20</summary>
  <description>This update for nodejs20 fixes the following issues:

Update to 20.15.1:

- CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
- CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)
- CVE-2024-22018: Fixed fs.lstat bypasses permission model (bsc#1227562)
- CVE-2024-36137: Fixed fs.fchown/fchmod bypasses permission model (bsc#1227561)
- CVE-2024-37372: Fixed Permission model improperly processes UNC paths (bsc#1227563)

Changes in 20.15.0:

- test_runner: support test plans
- inspector: introduce the --inspect-wait flag
- zlib: expose zlib.crc32()
- cli: allow running wasm in limited vmem with --disable-wasm-trap-handler

Changes in 20.14.0

- src,permission: throw async errors on async APIs
- test_runner: support forced exit

Changes in 20.13.1:

- buffer: improve base64 and base64url performance
- crypto: deprecate implicitly shortened GCM tags
- events,doc: mark CustomEvent as stable
- fs: add stacktrace to fs/promises
- report: add --report-exclude-network option
- src: add uv_get_available_memory to report and process
- stream: support typed arrays
- util: support array of formats in util.styleText
- v8: implement v8.queryObjects() for memory leak regression testing
- watch: mark as stable
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places