Request 860426: Submit nodejs12 - openSUSE Build Service

Overview

Request 860426 accepted

- New upstream LTS version 12.20.1:
* CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS
implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with
a freshly allocated WriteWrap object as first argument.
If the DoWrite method does not return an error, this object is
passed back to the caller as part of a StreamWriteResult structure.
This may be exploited to corrupt memory leading to a
Denial of Service or potentially other exploits (bsc#1180553)
* CVE-2020-8287: HTTP Request Smuggling allow two copies of a
header field in a http request. For example, two Transfer-Encoding
header fields. In this case Node.js identifies the first header
field and ignores the second. This can lead to HTTP Request
Smuggling (https://cwe.mitre.org/data/definitions/444.html).
(bsc#1180554)
* CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference
(High) This is a vulnerability in OpenSSL which may be exploited
through Node.js. (bsc#1179491)
- versioned.patch, nodejs-libpath.patch: refreshed

Created by adamm over 3 years ago
In state accepted

Submit nodejs12

Comments for request 860426 0

Login required, please login in order to comment

Request History

adamm created request over 3 years ago

- New upstream LTS version 12.20.1:
* CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS
implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with
a freshly allocated WriteWrap object as first argument.
If the DoWrite method does not return an error, this object is
passed back to the caller as part of a StreamWriteResult structure.
This may be exploited to corrupt memory leading to a
Denial of Service or potentially other exploits (bsc#1180553)
* CVE-2020-8287: HTTP Request Smuggling allow two copies of a
header field in a http request. For example, two Transfer-Encoding
header fields. In this case Node.js identifies the first header
field and ignores the second. This can lead to HTTP Request
Smuggling (https://cwe.mitre.org/data/definitions/444.html).
(bsc#1180554)
* CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference
(High) This is a vulnerability in OpenSSL which may be exploited
through Node.js. (bsc#1179491)
- versioned.patch, nodejs-libpath.patch: refreshed

factory-auto added opensuse-review-team as a reviewer over 3 years ago

Please review sources

factory-auto accepted review over 3 years ago

Check script succeeded

namtrac accepted review over 3 years ago

licensedigger accepted review over 3 years ago

ok

dimstar_suse added openSUSE:Factory:Staging:adi:45 as a reviewer over 3 years ago

Being evaluated by staging project "openSUSE:Factory:Staging:adi:45"

dimstar_suse accepted review over 3 years ago

Picked "openSUSE:Factory:Staging:adi:45"

dimstar_suse accepted review over 3 years ago

Staging Project openSUSE:Factory:Staging:adi:45 got accepted.

dimstar_suse approved review over 3 years ago

Staging Project openSUSE:Factory:Staging:adi:45 got accepted.

dimstar_suse accepted request over 3 years ago

Staging Project openSUSE:Factory:Staging:adi:45 got accepted.

openSUSE Build Service is sponsored by