SUSE Container Update Advisory: bci/nodejs
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:1537-1
Container Tags        : bci/node:20 , bci/node:20-7.2 , bci/node:latest , bci/nodejs:20 , bci/nodejs:20-7.2 , bci/nodejs:latest
Container Release     : 7.2
Severity              : important
Type                  : security
References            : 1220053 1222244 1222384 1222530 1222603 CVE-2024-24806 CVE-2024-27982
                        CVE-2024-27983 CVE-2024-30260 CVE-2024-30261 
-----------------------------------------------------------------

The container bci/nodejs was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1301-1
Released:    Tue Apr 16 03:33:31 2024
Summary:     Security update for nodejs20
Type:        security
Severity:    important
References:  1220053,1222244,1222384,1222530,1222603,CVE-2024-24806,CVE-2024-27982,CVE-2024-27983,CVE-2024-30260,CVE-2024-30261
This update for nodejs20 fixes the following issues:

Update to 20.12.1

Security fixes:

 - CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::~Http2Session() that could lead to HTTP/2 server crash (bsc#1222244)
 - CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscation (bsc#1222384)
 - CVE-2024-30260: Fixed proxy-authorization header not cleared on cross-origin redirect in undici (bsc#1222530)
 - CVE-2024-30261: Fixed fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect in undici (bsc#1222603)  
 - CVE-2024-24806: Fixed improper domain lookup that potentially leads to SSRF attacks in libuv (bsc#1220053)


The following package changes have been done:

- nodejs20-20.12.1-150500.11.9.2 updated
- npm20-20.12.1-150500.11.9.2 updated