Bugzilla – Bug 1194512
VUL-0: CVE-2021-44532: nodejs10,nodejs12,nodejs14,nodejs16,nodejs: Certificate Verification Bypass via String Injection
Last modified: 2022-04-17 19:17:37 UTC
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532) Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints. Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option. More details will be available at CVE-2021-44532 after publication. This vulnerability was reported by Google. Impacts: All versions of the 17.x, 16.x, 14.x, and 12.x releases lines. https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
This is an autogenerated message for OBS integration: This bug (1194512) was mentioned in https://build.opensuse.org/request/show/945772 Factory / nodejs16
SUSE-SU-2022:0101-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602,1194511,1194512,1194513,1194514 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135,CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs12-12.22.9-1.38.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0114-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1194511,1194512,1194513,1194514 CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs14-14.18.3-6.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0113-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1194511,1194512,1194513,1194514 CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): nodejs12-12.22.9-4.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0112-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1194511,1194512,1194513,1194514 CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 JIRA References: Sources used: openSUSE Leap 15.3 (src): nodejs14-14.18.3-15.24.1
openSUSE-SU-2022:0113-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1194511,1194512,1194513,1194514 CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 JIRA References: Sources used: openSUSE Leap 15.3 (src): nodejs12-12.22.9-4.25.1
SUSE-SU-2022:0112-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1194511,1194512,1194513,1194514 CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): nodejs14-14.18.3-15.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0112-1: An update that fixes 35 vulnerabilities is now available. Category: security (important) Bug References: 1194511,1194512,1194513,1194514,1197680,1198053,1198361 CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-1125,CVE-2022-1127,CVE-2022-1128,CVE-2022-1129,CVE-2022-1130,CVE-2022-1131,CVE-2022-1132,CVE-2022-1133,CVE-2022-1134,CVE-2022-1135,CVE-2022-1136,CVE-2022-1137,CVE-2022-1138,CVE-2022-1139,CVE-2022-1141,CVE-2022-1142,CVE-2022-1143,CVE-2022-1144,CVE-2022-1145,CVE-2022-1146,CVE-2022-1232,CVE-2022-1305,CVE-2022-1306,CVE-2022-1307,CVE-2022-1308,CVE-2022-1309,CVE-2022-1310,CVE-2022-1311,CVE-2022-1312,CVE-2022-1313,CVE-2022-1314,CVE-2022-21824 JIRA References: Sources used: openSUSE Leap 15.3 (src): nodejs14-14.18.3-15.24.1 openSUSE Backports SLE-15-SP3 (src): chromium-100.0.4896.88-bp153.2.82.1
openSUSE-SU-2022:0113-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1194511,1194512,1194513,1194514,1198204 CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824,CVE-2022-24191 JIRA References: Sources used: openSUSE Leap 15.3 (src): nodejs12-12.22.9-4.25.1 openSUSE Backports SLE-15-SP3 (src): htmldoc-1.9.12-bp153.2.9.1