Bug 1187973 – VUL-0: CVE-2021-22918: nodejs10,nodejs12,nodejs14,nodejs,libuv: libuv upgrade - Out of bounds read

Bug 1187973 - (CVE-2021-22918) VUL-0: CVE-2021-22918: nodejs10,nodejs12,nodejs14,nodejs,libuv: libuv upgrade - Out of bounds read

(CVE-2021-22918)
Summary:	VUL-0: CVE-2021-22918: nodejs10,nodejs12,nodejs14,nodejs,libuv: libuv upgrade...

Status:	IN_PROGRESS

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/303414/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-07-02 13:56 UTC by Robert Frohl
Modified:	2023-01-23 18:46 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2021-07-02 13:56:07 UTC

libuv upgrade - Out of bounds read (Medium) (CVE-2021-22918)

Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes.

You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918

Impacts:

    All versions of the 16.x, 14.x, and 12.x releases lines


https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

Comment 1 OBSbugzilla Bot 2021-07-02 16:30:07 UTC

This is an autogenerated message for OBS integration:
This bug (1187973) was mentioned in
https://build.opensuse.org/request/show/903753 Factory / nodejs16

Comment 2 Robert Frohl 2021-07-05 09:32:59 UTC

libuv upstream commit:

https://github.com/libuv/libuv/commit/b7466e31e4bee160d82a68fca11b1f61d46debae

Comment 3 Robert Frohl 2021-07-05 09:39:55 UTC

libuv introduced uv__idna_toascii() with v1.24.0, SLE not affected as we ship an older version.

Relevant for openSUSE:Factory, but no new release containing the fix afaict.

Comment 4 OBSbugzilla Bot 2021-07-06 08:50:06 UTC

This is an autogenerated message for OBS integration:
This bug (1187973) was mentioned in
https://build.opensuse.org/request/show/904343 Factory / nodejs14

Comment 7 Robert Frohl 2021-07-06 14:55:43 UTC

tracking as affected:

nodejs10:
- SUSE:SLE-12:Update
- SUSE:SLE-15:Update

nodejs12
- SUSE:SLE-12:Update
- SUSE:SLE-15-SP2:Update

nodejs14
- SUSE:SLE-12-SP4:Update
- SUSE:SLE-15-SP2:Update

not affected:

- libuv    (version in openSUSE:Factory is affected)
- nodejs4
- nodejs6
- nodejs8

Comment 9 Adam Majer 2021-07-07 08:01:36 UTC

reassigning to libuv maintainer for fix in Factory

Comment 12 Matej Cepl 2021-07-10 10:41:33 UTC

https://build.opensuse.org/request/show/905119

Comment 13 OBSbugzilla Bot 2021-07-12 08:20:06 UTC

This is an autogenerated message for OBS integration:
This bug (1187973) was mentioned in
https://build.opensuse.org/request/show/905781 Factory / libuv

Comment 14 OBSbugzilla Bot 2021-07-13 11:50:06 UTC

This is an autogenerated message for OBS integration:
This bug (1187973) was mentioned in
https://build.opensuse.org/request/show/906102 Factory / libuv

Comment 15 Swamp Workflow Management 2021-07-14 19:58:29 UTC

SUSE-SU-2021:2323-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1183155,1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs10-10.24.1-1.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2021-07-14 20:00:08 UTC

SUSE-SU-2021:2326-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.2-1.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2021-07-14 20:05:18 UTC

SUSE-SU-2021:2319-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.17.2-6.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Swamp Workflow Management 2021-07-14 20:10:31 UTC

openSUSE-SU-2021:2327-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.2-4.16.1

Comment 19 Swamp Workflow Management 2021-07-14 20:12:17 UTC

SUSE-SU-2021:2327-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.2-4.16.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs12-12.22.2-4.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2021-07-15 16:24:48 UTC

openSUSE-SU-2021:2354-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.17.2-5.12.1

Comment 21 Swamp Workflow Management 2021-07-15 16:30:40 UTC

SUSE-SU-2021:2353-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1183155,1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    nodejs10-10.24.1-1.36.1
SUSE Manager Retail Branch Server 4.0 (src):    nodejs10-10.24.1-1.36.1
SUSE Manager Proxy 4.0 (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise Server for SAP 15 (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise Server 15-LTSS (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    nodejs10-10.24.1-1.36.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    nodejs10-10.24.1-1.36.1
SUSE Enterprise Storage 6 (src):    nodejs10-10.24.1-1.36.1
SUSE CaaS Platform 4.0 (src):    nodejs10-10.24.1-1.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Swamp Workflow Management 2021-07-15 16:33:23 UTC

SUSE-SU-2021:2354-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.17.2-5.12.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs14-14.17.2-5.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Swamp Workflow Management 2021-07-15 16:42:51 UTC

openSUSE-SU-2021:2353-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1183155,1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs10-10.24.1-1.36.1

Comment 24 Swamp Workflow Management 2021-07-20 01:18:51 UTC

openSUSE-SU-2021:1059-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs12-12.22.2-lp152.3.15.1

Comment 25 Swamp Workflow Management 2021-07-20 01:20:29 UTC

openSUSE-SU-2021:1061-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1183155,1183851,1183852,1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290,CVE-2021-3449,CVE-2021-3450
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs10-10.24.1-lp152.2.15.1

Comment 26 Swamp Workflow Management 2021-07-20 01:25:25 UTC

openSUSE-SU-2021:1060-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1184450,1187973,1187976,1187977
CVE References: CVE-2020-7774,CVE-2021-22918,CVE-2021-23362,CVE-2021-27290
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs14-14.17.2-lp152.11.1