Bugzilla – Bug 1219995
VUL-0: CVE-2024-22017: nodejs20: setuid() does not drop all privileges due to io_uring
Last modified: 2024-06-06 12:20:00 UTC
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/ setuid() does not drop all privileges due to io_uring (CVE-2024-22017) - (High) setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). Impacts: This vulnerability affects all users in active release lines: 20.x, and 21.x. Thank you, to valette for reporting this vulnerability and thank you Tobias Nießen for fixing it.
This is an autogenerated message for OBS integration: This bug (1219995) was mentioned in https://build.opensuse.org/request/show/1147152 Factory / nodejs20 https://build.opensuse.org/request/show/1147153 Factory / nodejs21
SUSE-SU-2024:0643-1: An update that solves 10 vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1219152, 1219724, 1219992, 1219993, 1219994, 1219995, 1219997, 1219998, 1219999, 1220014, 1220017 CVE References: CVE-2023-46809, CVE-2024-21890, CVE-2024-21891, CVE-2024-21892, CVE-2024-21896, CVE-2024-22017, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806 Sources used: openSUSE Leap 15.5 (src): nodejs20-20.11.1-150500.11.6.1 Web and Scripting Module 15-SP5 (src): nodejs20-20.11.1-150500.11.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixed and released.