Aggregator

FEDORA-2024-e28ccc9c17 Packages in this update:

• nodejs20-20.12.2-1.fc39

Update description: 2024-04-03, Version 20.12.1 'Iron' (LTS), @RafaelGSS

This is a security release

Notable Changes

• CVE-2024-27983 - Assertion failed in node::http2::Http2Session::\~Http2Session() leads to HTTP/2 server crash- (High)
• CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
• llhttp version 9.2.1
• undici version 5.28.4

Commits

• [bd8f10a257] - deps: update undici to v5.28.4 (Matteo Collina) nodejs-private/node-private#576
• [5e34540a96] - http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#557
• [ba1ae6d188] - src: ensure to close stream when destroying session (Anna Henningsen) nodejs-private/node-private#561

2024-04-03, Version 20.12.1 'Iron' (LTS), @RafaelGSS

This is a security release

Notable Changes

• CVE-2024-27983 - Assertion failed in node::http2::Http2Session::\~Http2Session() leads to HTTP/2 server crash- (High)
• CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
• llhttp version 9.2.1
• undici version 5.28.4

USN-6728-1 fixed vulnerabilities in Squid. The fix for CVE-2023-5824 caused Squid to crash in certain environments on Ubuntu 20.04 LTS. The problematic fix has been reverted pending further investigation. We apologize for the inconvenience. Original advisory details: Joshua Rogers discovered that Squid incorrectly handled collapsed forwarding. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288) Joshua Rogers discovered that Squid incorrectly handled certain structural elements. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2023-5824) Joshua Rogers discovered that Squid incorrectly handled Cache Manager error responses. A remote trusted client can possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2024-23638) Joshua Rogers discovered that Squid incorrectly handled the HTTP Chunked decoder. A remote attacker could possibly use this issue to cause Squid to stop responding, resulting in a denial of service. (CVE-2024-25111) Joshua Rogers discovered that Squid incorrectly handled HTTP header parsing. A remote trusted client can possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2024-25617)

Version:next-20240411 (linux-next) Released:2024-04-11

FEDORA-EPEL-2024-76d6941f10 Packages in this update:

• python-django3-3.2.25-1.el9

Update description:

Security fixes for

• CVE-2024-27351 Potential regular expression DOS in django.utils.text.Truncator.words()
• CVE-2023-41164 Potential DOS vulnerability in django.utils.encoding.uri_to_iri()