Security update for nodejs SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:0138-1 Final 1 1 2016-01-15T14:43:21Z current 2016-01-15T14:43:21Z 2016-01-15T14:43:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs This update contains nodejs 4.2.4 and fixes the following issues: - CVE-2015-6764: unspecified out-of-bounds access vulnerability (boo#956902) - CVE-2015-8027: unspecified denial of service vulnerability (boo#956901) The following non-security bugs were fixed: - boo#948045: Nodejs 4.0 rpm does not install addon-rpm.gypi - boo#961254: common.gypi should install at /usr/share/node and npm requires nodejs-devel Also contains all upstream bug fixes and improvements in the 4.2.2, 4.2.3 and 4.2.4 releases. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-01/msg00045.html E-Mail link for openSUSE-SU-2016:0138-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 nodejs-4.2.4-15.1 nodejs-devel-4.2.4-15.1 nodejs-doc-4.2.4-9.1 nodejs-docs-4.2.4-15.1 npm-4.2.4-15.1 nodejs-4.2.4-15.1 as a component of openSUSE Leap 42.1 nodejs-devel-4.2.4-15.1 as a component of openSUSE Leap 42.1 nodejs-doc-4.2.4-9.1 as a component of openSUSE Leap 42.1 nodejs-docs-4.2.4-15.1 as a component of openSUSE Leap 42.1 npm-4.2.4-15.1 as a component of openSUSE Leap 42.1 The BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier in Google V8, as used in Google Chrome before 47.0.2526.73, improperly loads array elements, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via crafted JavaScript code. CVE-2015-6764 openSUSE Leap 42.1:nodejs-4.2.4-15.1 openSUSE Leap 42.1:nodejs-devel-4.2.4-15.1 openSUSE Leap 42.1:nodejs-doc-4.2.4-9.1 openSUSE Leap 42.1:nodejs-docs-4.2.4-15.1 openSUSE Leap 42.1:npm-4.2.4-15.1 low Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-01/msg00045.html https://www.suse.com/security/cve/CVE-2015-6764.html CVE-2015-6764 https://bugzilla.suse.com/956902 SUSE Bug 956902 https://bugzilla.suse.com/957519 SUSE Bug 957519 Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request. CVE-2015-8027 openSUSE Leap 42.1:nodejs-4.2.4-15.1 openSUSE Leap 42.1:nodejs-devel-4.2.4-15.1 openSUSE Leap 42.1:nodejs-doc-4.2.4-9.1 openSUSE Leap 42.1:nodejs-docs-4.2.4-15.1 openSUSE Leap 42.1:npm-4.2.4-15.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-01/msg00045.html https://www.suse.com/security/cve/CVE-2015-8027.html CVE-2015-8027 https://bugzilla.suse.com/956901 SUSE Bug 956901