1222244 – (CVE-2024-27983) VUL-0: nodejs20,nodejs18: VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks

Bug 1222244 (CVE-2024-27983) - VUL-0: nodejs20,nodejs18: VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks

Summary: VUL-0: nodejs20,nodejs18: VU#421644: HTTP/2 CONTINUATION frames can be utiliz...

Status:	IN_PROGRESS

Alias:	CVE-2024-27983

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Adam Majer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/400032/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-27983:7.5:(AV:...
Keywords:

Depends on:	1221404
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2024-04-02 14:33 UTC by Marcus Meissner
Modified:	2024-07-12 15:20 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Marcus Meissner 2024-04-04 07:13:35 UTC

is public now

Comment 3 OBSbugzilla Bot 2024-04-10 09:35:01 UTC

This is an autogenerated message for OBS integration:
This bug (1222244) was mentioned in
https://build.opensuse.org/request/show/1166607 Factory / nodejs21

Comment 4 OBSbugzilla Bot 2024-04-10 11:35:03 UTC

This is an autogenerated message for OBS integration:
This bug (1222244) was mentioned in
https://build.opensuse.org/request/show/1166624 Factory / nodejs20

Comment 9 Maintenance Automation 2024-04-16 08:30:04 UTC

SUSE-SU-2024:1301-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33347](https://smelt.suse.de/incident/33347/)
Sources used:
Web and Scripting Module 15-SP5 (src):
 nodejs20-20.12.1-150500.11.9.2
openSUSE Leap 15.5 (src):
 nodejs20-20.12.1-150500.11.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Maintenance Automation 2024-04-16 12:30:08 UTC

SUSE-SU-2024:1309-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33350](https://smelt.suse.de/incident/33350/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs18-18.20.1-150400.9.21.3
openSUSE Leap 15.5 (src):
 nodejs18-18.20.1-150400.9.21.3
Web and Scripting Module 15-SP5 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 nodejs18-18.20.1-150400.9.21.3
SUSE Manager Server 4.3 (src):
 nodejs18-18.20.1-150400.9.21.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Maintenance Automation 2024-04-16 12:30:10 UTC

SUSE-SU-2024:1308-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33369](https://smelt.suse.de/incident/33369/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 nodejs16-16.20.2-150400.3.33.1
SUSE Manager Server 4.3 (src):
 nodejs16-16.20.2-150400.3.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Maintenance Automation 2024-04-16 12:30:13 UTC

SUSE-SU-2024:1307-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220053, 1222244, 1222384, 1222530, 1222603
CVE References: CVE-2024-24806, CVE-2024-27982, CVE-2024-27983, CVE-2024-30260, CVE-2024-30261
Maintenance Incident: [SUSE:Maintenance:33351](https://smelt.suse.de/incident/33351/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs18-18.20.1-8.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Maintenance Automation 2024-04-16 12:30:16 UTC

SUSE-SU-2024:1306-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33366](https://smelt.suse.de/incident/33366/)
Sources used:
openSUSE Leap 15.3 (src):
 nodejs16-16.20.2-150300.7.36.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 nodejs16-16.20.2-150300.7.36.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 nodejs16-16.20.2-150300.7.36.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 nodejs16-16.20.2-150300.7.36.2
SUSE Enterprise Storage 7.1 (src):
 nodejs16-16.20.2-150300.7.36.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Maintenance Automation 2024-04-16 12:30:18 UTC

SUSE-SU-2024:1305-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33365](https://smelt.suse.de/incident/33365/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs16-16.20.2-8.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Maintenance Automation 2024-04-19 12:30:24 UTC

SUSE-SU-2024:1346-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33399](https://smelt.suse.de/incident/33399/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 nodejs12-12.22.12-150200.4.59.1
SUSE Enterprise Storage 7.1 (src):
 nodejs12-12.22.12-150200.4.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Maintenance Automation 2024-04-19 16:30:01 UTC

SUSE-SU-2024:1355-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222244, 1222384
CVE References: CVE-2024-27982, CVE-2024-27983
Maintenance Incident: [SUSE:Maintenance:33370](https://smelt.suse.de/incident/33370/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 nodejs14-14.21.3-150200.15.58.1
SUSE Enterprise Storage 7.1 (src):
 nodejs14-14.21.3-150200.15.58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.