Bugzilla – Bug 1191602
VUL-0: CVE-2021-22960: nodejs10,nodejs12,nodejs14,nodejs16,nodejs: HTTP Request Smuggling when parsing the body
Last modified: 2024-05-30 18:52:24 UTC
HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960) The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at CVE-2021-22960 after publication. THe fix for this is included in llhttp v2.1.4 and v6.0.6. Thanks to Mattias Grenfeldt (https://grenfeldt.dev/) and Asta Olofsson for reporting this vulnerability. Impacts: All versions of the 16.x, 14.x, and 12.x releases lines. https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/
This is an autogenerated message for OBS integration: This bug (1191602) was mentioned in https://build.opensuse.org/request/show/929933 Factory / nodejs16
This is an autogenerated message for OBS integration: This bug (1191602) was mentioned in https://build.opensuse.org/request/show/930406 Factory / nodejs16
This is an autogenerated message for OBS integration: This bug (1191602) was mentioned in https://build.opensuse.org/request/show/930657 Factory / nodejs14
SUSE-SU-2021:3886-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs14-14.18.1-6.18.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): nodejs12-12.22.7-4.22.1 SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): nodejs12-12.22.7-4.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: openSUSE Leap 15.3 (src): nodejs12-12.22.7-4.22.1
openSUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: openSUSE Leap 15.3 (src): nodejs14-14.18.1-15.21.2
SUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): nodejs14-14.18.1-15.21.2 SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): nodejs14-14.18.1-15.21.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1552-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: openSUSE Leap 15.2 (src): nodejs14-14.18.1-lp152.17.1
openSUSE-SU-2021:1574-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: openSUSE Leap 15.2 (src): nodejs12-12.22.7-lp152.3.21.1
SUSE-SU-2022:0101-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602,1194511,1194512,1194513,1194514 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135,CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs12-12.22.9-1.38.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
@Adam: do you know by chance if the upstream advisory is wrong in this case? > THe fix for this is included in llhttp v2.1.4 and v6.0.6. 16.11.1 which supposedly has the fix, updates llhttp to 6.0.4 and not 6.0.6. bsc#1191601 has the same inconsistency issue.
In this case we are talking about, https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.11.1 https://github.com/nodejs/llhttp/pull/131/commits and, https://github.com/nodejs/node/tree/v16.11.1/deps/llhttp NodeJS only uses the native part of llhttp and then has an interface to http via its own interaface - https://nodejs.org/api/http.html The llhttp's Javascript interface part seems to have contained the bug which was only fixed in 6.0.6, but the native bits were changed already in 6.0.4 in the bug that was identified first in nodejs. So both the advisories are correct, but NodeJS doesn't use the entire part of llhttp which makes it confusing if we just look at the version numbers.
SUSE-SU-2022:2855-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 1188917,1189368,1191601,1191602,1201325,1201326,1201327,1201328 CVE References: CVE-2021-22930,CVE-2021-22940,CVE-2021-22959,CVE-2021-22960,CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215 JIRA References: Sources used: openSUSE Leap 15.4 (src): nodejs10-10.24.1-150000.1.47.1 openSUSE Leap 15.3 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Manager Server 4.1 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Manager Retail Branch Server 4.1 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Manager Proxy 4.1 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server for SAP 15 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise Server 15-LTSS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): nodejs10-10.24.1-150000.1.47.1 SUSE Enterprise Storage 7 (src): nodejs10-10.24.1-150000.1.47.1 SUSE Enterprise Storage 6 (src): nodejs10-10.24.1-150000.1.47.1 SUSE CaaS Platform 4.0 (src): nodejs10-10.24.1-150000.1.47.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.