Bug 1222244 (CVE-2024-27983)

Summary: VUL-0: nodejs20,nodejs18: VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Adam Majer <amajer>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/400032/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-27983:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1221404    
Bug Blocks:    

Comment 2 Marcus Meissner 2024-04-04 07:13:35 UTC 
is public now
Comment 3 OBSbugzilla Bot 2024-04-10 09:35:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1222244) was mentioned in
https://build.opensuse.org/request/show/1166607 Factory / nodejs21
Comment 4 OBSbugzilla Bot 2024-04-10 11:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1222244) was mentioned in
https://build.opensuse.org/request/show/1166624 Factory / nodejs20
Comment 9 Maintenance Automation 2024-04-16 08:30:04 UTC 
SUSE-SU-2024:1301-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33347](https://smelt.suse.de/incident/33347/)
Sources used:
Web and Scripting Module 15-SP5 (src):
 nodejs20-20.12.1-150500.11.9.2
openSUSE Leap 15.5 (src):
 nodejs20-20.12.1-150500.11.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-04-16 12:30:08 UTC 
SUSE-SU-2024:1309-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33350](https://smelt.suse.de/incident/33350/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs18-18.20.1-150400.9.21.3
openSUSE Leap 15.5 (src):
 nodejs18-18.20.1-150400.9.21.3
Web and Scripting Module 15-SP5 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Manager Server 4.3 (src):
 nodejs18-18.20.1-150400.9.21.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-04-16 12:30:10 UTC 
SUSE-SU-2024:1308-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33369](https://smelt.suse.de/incident/33369/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Manager Server 4.3 (src):
 nodejs16-16.20.2-150400.3.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-04-16 12:30:13 UTC 
SUSE-SU-2024:1307-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33351](https://smelt.suse.de/incident/33351/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs18-18.20.1-8.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-04-16 12:30:16 UTC 
SUSE-SU-2024:1306-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33366](https://smelt.suse.de/incident/33366/)
Sources used:
openSUSE Leap 15.3 (src):
 nodejs16-16.20.2-150300.7.36.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 nodejs16-16.20.2-150300.7.36.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 nodejs16-16.20.2-150300.7.36.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 nodejs16-16.20.2-150300.7.36.2
SUSE Enterprise Storage 7.1 (src):
 nodejs16-16.20.2-150300.7.36.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2024-04-16 12:30:18 UTC 
SUSE-SU-2024:1305-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33365](https://smelt.suse.de/incident/33365/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs16-16.20.2-8.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2024-04-19 12:30:24 UTC 
SUSE-SU-2024:1346-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33399](https://smelt.suse.de/incident/33399/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Enterprise Storage 7.1 (src):
 nodejs12-12.22.12-150200.4.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2024-04-19 16:30:01 UTC 
SUSE-SU-2024:1355-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33370](https://smelt.suse.de/incident/33370/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Enterprise Storage 7.1 (src):
 nodejs14-14.21.3-150200.15.58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.