Bug 1196877 - (CVE-2022-0778) VUL-0: CVE-2022-0778: openssl1,openssl-1_0_0,openssl-1_1,openssl-3: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
(CVE-2022-0778)
VUL-0: CVE-2022-0778: openssl1,openssl-1_0_0,openssl-1_1,openssl-3: Infinite...
Status: REOPENED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/325570/
CVSSv3.1:SUSE:CVE-2022-0778:7.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-08 17:00 UTC by Marcus Meissner
Modified: 2022-05-04 19:18 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
upstream patch (2.13 KB, patch)
2022-03-08 17:08 UTC, Gianluca Gabrielli
Details | Diff
Upstream test (1.96 KB, patch)
2022-03-08 17:08 UTC, Gianluca Gabrielli
Details | Diff
upstream patch 1.1.1 (1.96 KB, patch)
2022-03-08 17:09 UTC, Gianluca Gabrielli
Details | Diff
Upstream test 1.1.1 (2.14 KB, patch)
2022-03-08 17:09 UTC, Gianluca Gabrielli
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Gianluca Gabrielli 2022-03-08 17:08:33 UTC
Created attachment 856841 [details]
upstream patch
Comment 2 Gianluca Gabrielli 2022-03-08 17:08:56 UTC
Created attachment 856842 [details]
Upstream test
Comment 3 Gianluca Gabrielli 2022-03-08 17:09:23 UTC
Created attachment 856843 [details]
upstream patch 1.1.1
Comment 4 Gianluca Gabrielli 2022-03-08 17:09:41 UTC
Created attachment 856844 [details]
Upstream test 1.1.1
Comment 6 Gianluca Gabrielli 2022-03-08 17:20:48 UTC
the following are the supported packages in OBS/IBS:

SUSE:SLE-12:Update/compat-openssl098    0.9.8j
SUSE:SLE-11-SP1:Update/openssl          0.9.8j
SUSE:SLE-12-SP2:Update/openssl          1.0.2j
SUSE:SLE-12-SP4:Update/openssl          1.0.2p
SUSE:SLE-15-SP2:Update/openssl          1.1.1d
SUSE:SLE-15-SP4:Update/openssl          1.1.1l
SUSE:SLE-15:Update/openssl              1.1.0i
SUSE:SLE-12-SP4:Update/openssl-1_0_0    1.0.2p
SUSE:SLE-15:Update/openssl-1_0_0        1.0.2p
SUSE:SLE-12-SP4:Update/openssl-1_1      1.1.1d
SUSE:SLE-15-SP1:Update/openssl-1_1      1.1.0i
SUSE:SLE-15-SP2:Update/openssl-1_1      1.1.1d
SUSE:SLE-15-SP4:Update/openssl-1_1      1.1.1l
SUSE:SLE-15:Update/openssl-1_1          1.1.0i
SUSE:SLE-11-SP3:Update/openssl1         1.0.1g
openSUSE:Factory/openssl                1.1.1m
openSUSE:Factory/openssl-1_0_0          1.0.2u
openSUSE:Factory/openssl-1_1            1.1.1m

according the version number, they should be all affected.

There's also SUSE:SLE-15-SP4:Update/openssl-1_1-livepatches, which TBH I don't know to what is used for. In any case, it doesn't contain the vulnerable code.
Comment 17 Marcus Meissner 2022-03-15 18:21:58 UTC
fix is in openssl git:

commit 3118eb64934499d93db3230748a452351d1d9a65
Author: Tomas Mraz <tomas@openssl.org>
Date:   Mon Feb 28 18:26:21 2022 +0100

    Fix possible infinite loop in BN_mod_sqrt()
    
    The calculation in some cases does not finish for non-prime p.
    
    This fixes CVE-2022-0778.
    
    Based on patch by David Benjamin <davidben@google.com>.
    
    Reviewed-by: Paul Dale <pauli@openssl.org>
    Reviewed-by: Matt Caswell <matt@openssl.org>
Comment 18 Marcus Meissner 2022-03-15 18:23:46 UTC
https://www.openssl.org/news/secadv/20220315.txt

OpenSSL Security Advisory [15 March 2022]
============================================

Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778)
==================================================================================

Severity: High

The BN_mod_sqrt() function, which computes a modular square root, contains
a bug that can cause it to loop forever for non-prime moduli.

Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate that
has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the certificate
signature, any process that parses an externally supplied certificate may thus
be subject to a denial of service attack. The infinite loop can also be
reached when parsing crafted private keys as they can contain explicit
elliptic curve parameters.

Thus vulnerable situations include:

 - TLS clients consuming server certificates
 - TLS servers consuming client certificates
 - Hosting providers taking certificates or private keys from customers
 - Certificate authorities parsing certification requests from subscribers
 - Anything else which parses ASN.1 elliptic curve parameters

Also any other applications that use the BN_mod_sqrt() where the attacker
can control the parameter values are vulnerable to this DoS issue.

In the OpenSSL 1.0.2 version the public key is not parsed during initial
parsing of the certificate which makes it slightly harder to trigger
the infinite loop. However any operation which requires the public key
from the certificate will trigger the infinite loop. In particular the
attacker can use a self-signed certificate to trigger the loop during
verification of the certificate signature.

This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.  It was
addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022.

OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers only)
OpenSSL 1.1.1 users should upgrade to 1.1.1n
OpenSSL 3.0 users should upgrade to 3.0.2

This issue was reported to OpenSSL on the 24th February 2022 by Tavis Ormandy
from Google. The fix was developed by David Benjamin from Google and Tomáš Mráz
from OpenSSL.

Note
====

OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
It is affected by the issue.

Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220315.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
Comment 19 Pedro Monreal Gonzalez 2022-03-15 18:25:29 UTC
Factory submissions:
 * openssl-1_1: https://build.opensuse.org/request/show/961992
 * openssl: https://build.opensuse.org/request/show/961993
Comment 20 Pedro Monreal Gonzalez 2022-03-15 19:09:31 UTC
SLE15-SP$:GA submission: https://build.suse.de/request/show/267584
Comment 21 Pedro Monreal Gonzalez 2022-03-15 19:09:54 UTC
(In reply to Pedro Monreal Gonzalez from comment #20)
> SLE15-SP$:GA submission: https://build.suse.de/request/show/267584

SLE15-SP4:GA submission: https://build.suse.de/request/show/267584 ;)
Comment 22 Pedro Monreal Gonzalez 2022-03-15 19:29:16 UTC
openssl-3 Factory submission:
 * https://build.opensuse.org/request/show/962004
Comment 23 Swamp Workflow Management 2022-03-15 23:18:38 UTC
openSUSE-SU-2022:0856-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1196877
CVE References: CVE-2022-0778
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    openssl-1_0_0-1.0.2p-3.49.1
openSUSE Leap 15.3 (src):    openssl-1_0_0-1.0.2p-3.49.1
Comment 24 Swamp Workflow Management 2022-03-15 23:19:39 UTC
SUSE-SU-2022:14916-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1196877
CVE References: CVE-2022-0778
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    openssl1-1.0.1g-0.58.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2022-03-15 23:20:48 UTC
SUSE-SU-2022:0853-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1196877
CVE References: CVE-2022-0778
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    openssl-1_1-1.1.0i-14.27.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    openssl-1_1-1.1.0i-14.27.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    openssl-1_1-1.1.0i-14.27.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    openssl-1_1-1.1.0i-14.27.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    openssl-1_1-1.1.0i-14.27.1
SUSE Enterprise Storage 6 (src):    openssl-1_1-1.1.0i-14.27.1
SUSE CaaS Platform 4.0 (src):    openssl-1_1-1.1.0i-14.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2022-03-15 23:21:55 UTC
SUSE-SU-2022:0854-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1196877
CVE References: CVE-2022-0778
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    openssl-1.0.2j-60.75.1
SUSE OpenStack Cloud 8 (src):    openssl-1.0.2j-60.75.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    openssl-1.0.2j-60.75.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    openssl-1.0.2j-60.75.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    openssl-1.0.2j-60.75.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    openssl-1.0.2j-60.75.1
HPE Helion Openstack 8 (src):    openssl-1.0.2j-60.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-03-15 23:23:16 UTC
SUSE-SU-2022:0856-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1196877
CVE References: CVE-2022-0778
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE Manager Retail Branch Server 4.1 (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE Manager Proxy 4.1 (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE Linux Enterprise Server for SAP 15 (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE Linux Enterprise Server 15-LTSS (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE Enterprise Storage 7 (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE Enterprise Storage 6 (src):    openssl-1_0_0-1.0.2p-3.49.1
SUSE CaaS Platform 4.0 (src):    openssl-1_0_0-1.0.2p-3.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2022-03-15 23:24:27 UTC
SUSE-SU-2022:0851-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1180995,1196877
CVE References: CVE-2022-0778
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    openssl-1_1-1.1.0i-4.66.1
SUSE Linux Enterprise Server 15-LTSS (src):    openssl-1_1-1.1.0i-4.66.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    openssl-1_1-1.1.0i-4.66.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    openssl-1_1-1.1.0i-4.66.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2022-03-15 23:25:30 UTC
SUSE-SU-2022:0859-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1196877
CVE References: CVE-2022-0778
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP5 (src):    compat-openssl098-0.9.8j-106.33.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    compat-openssl098-0.9.8j-106.33.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    compat-openssl098-0.9.8j-106.33.1
SUSE Linux Enterprise Module for Legacy Software 12 (src):    compat-openssl098-0.9.8j-106.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2022-03-15 23:26:47 UTC
SUSE-SU-2022:0857-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1196249,1196877
CVE References: CVE-2022-0778
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    openssl-1_0_0-1.0.2p-3.48.1
SUSE OpenStack Cloud 9 (src):    openssl-1_0_0-1.0.2p-3.48.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    openssl-1_0_0-1.0.2p-3.48.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    openssl-1_0_0-1.0.2p-3.48.1
SUSE Linux Enterprise Server 12-SP5 (src):    openssl-1_0_0-1.0.2p-3.48.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    openssl-1_0_0-1.0.2p-3.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2022-03-15 23:27:55 UTC
SUSE-SU-2022:14915-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1196877
CVE References: CVE-2022-0778
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    openssl-0.9.8j-0.106.46.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    openssl-0.9.8j-0.106.46.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openssl-0.9.8j-0.106.46.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openssl-0.9.8j-0.106.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2022-03-15 23:30:43 UTC
SUSE-SU-2022:0860-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (important)
Bug References: 1182959,1195149,1195792,1195856,1196877
CVE References: CVE-2022-0778
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    openssl-1_1-1.1.1d-2.61.1
SUSE OpenStack Cloud 9 (src):    openssl-1_1-1.1.1d-2.61.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    openssl-1_1-1.1.1d-2.61.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    openssl-1_1-1.1.1d-2.61.1
SUSE Linux Enterprise Server 12-SP5 (src):    openssl-1_1-1.1.1d-2.61.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    openssl-1_1-1.1.1d-2.61.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Pedro Monreal Gonzalez 2022-03-16 07:06:59 UTC
openssl-1_1 submission to SLE15-SP4:GA:
 * https://build.suse.de/request/show/267605
Comment 35 Fusion Future 2022-03-17 06:41:19 UTC
I still don't get the fix on Leap 15.3 one day after the security announcement was released.
Comment 37 Marcus Meissner 2022-03-18 15:54:35 UTC
(In reply to Fusion Future from comment #35)
> I still don't get the fix on Leap 15.3 one day after the security
> announcement was released.

we had some sync issues which got resolved yesterday. should be available now.
Comment 38 Gianluca Gabrielli 2022-03-21 10:57:07 UTC
Done.
Comment 41 Swamp Workflow Management 2022-03-22 17:16:28 UTC
SUSE-SU-2022:0935-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1196877
CVE References: CVE-2022-0778
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.11-1.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 43 Victor Zhestkov 2022-04-01 08:54:38 UTC
I've added the patches to the openssl in the Salt Bundle SLE12 subproject, but it's build time dependency only no any part of this package is included to the published package.
Comment 44 Swamp Workflow Management 2022-04-14 01:18:48 UTC
SUSE-SU-2022:0861-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (important)
Bug References: 1182959,1195149,1195792,1195856,1196877
CVE References: CVE-2022-0778
JIRA References: 
Sources used:
SUSE Linux Enterprise Micro 5.2 (src):    glibc-2.31-150300.20.7, libxcrypt-4.4.15-150300.4.2.41, openssl-1_1-1.1.1d-11.43.1, zlib-1.2.11-3.26.10

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 46 Swamp Workflow Management 2022-04-28 16:17:49 UTC
SUSE-SU-2022:1459-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1194819,1196877,1197283,1198247
CVE References: CVE-2021-44906,CVE-2021-44907,CVE-2022-0235,CVE-2022-0778
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.19.1-6.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 47 Swamp Workflow Management 2022-04-28 19:18:18 UTC
SUSE-SU-2022:1462-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1194819,1196877,1197283,1198247
CVE References: CVE-2021-44906,CVE-2021-44907,CVE-2022-0235,CVE-2022-0778
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs14-14.19.1-150200.15.31.1
openSUSE Leap 15.3 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Manager Server 4.1 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Manager Proxy 4.1 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs14-14.19.1-150200.15.31.1
SUSE Enterprise Storage 7 (src):    nodejs14-14.19.1-150200.15.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 48 Swamp Workflow Management 2022-04-28 19:19:26 UTC
SUSE-SU-2022:1461-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1194819,1196877,1197283,1198247
CVE References: CVE-2021-44906,CVE-2021-44907,CVE-2022-0235,CVE-2022-0778
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs12-12.22.12-150200.4.32.1
openSUSE Leap 15.3 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Manager Server 4.1 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Manager Proxy 4.1 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs12-12.22.12-150200.4.32.1
SUSE Enterprise Storage 7 (src):    nodejs12-12.22.12-150200.4.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 50 Swamp Workflow Management 2022-05-04 19:18:06 UTC
SUSE-SU-2022:1536-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1118088,1184177,1196249,1196877,1197279,1197417,1197637,1198556
CVE References: CVE-2018-19787,CVE-2021-28957,CVE-2022-0778,CVE-2022-22934,CVE-2022-22935,CVE-2022-22936,CVE-2022-22941,CVE-2022-24302
JIRA References: 
Sources used:
SUSE Manager Tools 12-BETA (src):    venv-salt-minion-3004-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.