Security update for nodejs SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:1566-1 Final 1 1 2016-06-14T06:03:38Z current 2016-06-14T06:03:38Z 2016-06-14T06:03:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs This update for nodejs to version 4.4.5 fixes the several issues. These security issues introduced by the bundled openssl were fixed by going to version 1.0.2h: - CVE-2016-2107: The AES-NI implementation in OpenSSL did not consider memory allocation during a certain padding check, which allowed remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session (bsc#977616). - CVE-2016-2105: Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL allowed remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data (bsc#977614). - CVE-2016-0705: Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL allowed remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key (bsc#968047). - CVE-2016-0797: Multiple integer overflows in OpenSSL allowed remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c (bsc#968048). - CVE-2016-0702: The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL did not properly consider cache-bank access times during modular exponentiation, which made it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a 'CacheBleed' attack (bsc#968050). These non-security issues were fixed: - Fix faulty 'if' condition (string cannot equal a boolean). - buffer: Buffer no longer errors if you call lastIndexOf with a search term longer than the buffer. - contextify: Context objects are now properly garbage collected, this solves a problem some individuals were experiencing with extreme memory growth. - Update npm to 2.15.5. - http: Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999. - deps: Fix --gdbjit for embedders. Backported from v8 upstream. - querystring: Restore throw when attempting to stringify bad surrogate pair. - https: Under certain conditions SSL sockets may have been causing a memory leak when keepalive is enabled. This is no longer the case. - lib: The way that we were internally passing arguments was causing a potential leak. By copying the arguments into an array we can avoid this. - repl: Previously if you were using the repl in strict mode the column number would be wrong in a stack trace. This is no longer an issue. - deps: An update to v8 that introduces a new flag --perf_basic_prof_only_functions. - http: A new feature in http(s) agent that catches errors on keep alived connections. - src: Better support for big-endian systems. - tls: A new feature that allows you to pass common SSL options to tls.createSecurePair. - build: Support python path that includes spaces. - https: A potential fix for #3692 (HTTP/HTTPS client requests throwing EPROTO). - installer: More readable profiling information from isolate tick logs. - process: Add support for symbols in event emitters (symbols didn't exist when it was written). - querystring: querystring.parse() is now 13-22% faster! - streams: Performance improvements for moving small buffers that shows a 5% throughput gain. IoT projects have been seen to be as much as 10% faster with this change! The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.html E-Mail link for openSUSE-SU-2016:1566-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 nodejs-4.4.5-27.1 nodejs-devel-4.4.5-27.1 nodejs-docs-4.4.5-27.1 npm-4.4.5-27.1 nodejs-4.4.5-27.1 as a component of openSUSE Leap 42.1 nodejs-devel-4.4.5-27.1 as a component of openSUSE Leap 42.1 nodejs-docs-4.4.5-27.1 as a component of openSUSE Leap 42.1 npm-4.4.5-27.1 as a component of openSUSE Leap 42.1 The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack. CVE-2016-0702 openSUSE Leap 42.1:nodejs-4.4.5-27.1 openSUSE Leap 42.1:nodejs-devel-4.4.5-27.1 openSUSE Leap 42.1:nodejs-docs-4.4.5-27.1 openSUSE Leap 42.1:npm-4.4.5-27.1 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.html https://www.suse.com/security/cve/CVE-2016-0702.html CVE-2016-0702 https://bugzilla.suse.com/1007806 SUSE Bug 1007806 https://bugzilla.suse.com/968044 SUSE Bug 968044 https://bugzilla.suse.com/968050 SUSE Bug 968050 https://bugzilla.suse.com/971238 SUSE Bug 971238 https://bugzilla.suse.com/990370 SUSE Bug 990370 Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key. CVE-2016-0705 openSUSE Leap 42.1:nodejs-4.4.5-27.1 openSUSE Leap 42.1:nodejs-devel-4.4.5-27.1 openSUSE Leap 42.1:nodejs-docs-4.4.5-27.1 openSUSE Leap 42.1:npm-4.4.5-27.1 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.html https://www.suse.com/security/cve/CVE-2016-0705.html CVE-2016-0705 https://bugzilla.suse.com/968044 SUSE Bug 968044 https://bugzilla.suse.com/968047 SUSE Bug 968047 https://bugzilla.suse.com/971238 SUSE Bug 971238 https://bugzilla.suse.com/976341 SUSE Bug 976341 Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c. CVE-2016-0797 openSUSE Leap 42.1:nodejs-4.4.5-27.1 openSUSE Leap 42.1:nodejs-devel-4.4.5-27.1 openSUSE Leap 42.1:nodejs-docs-4.4.5-27.1 openSUSE Leap 42.1:npm-4.4.5-27.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.html https://www.suse.com/security/cve/CVE-2016-0797.html CVE-2016-0797 https://bugzilla.suse.com/968044 SUSE Bug 968044 https://bugzilla.suse.com/968048 SUSE Bug 968048 https://bugzilla.suse.com/990370 SUSE Bug 990370 Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data. CVE-2016-2105 openSUSE Leap 42.1:nodejs-4.4.5-27.1 openSUSE Leap 42.1:nodejs-devel-4.4.5-27.1 openSUSE Leap 42.1:nodejs-docs-4.4.5-27.1 openSUSE Leap 42.1:npm-4.4.5-27.1 low 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.html https://www.suse.com/security/cve/CVE-2016-2105.html CVE-2016-2105 https://bugzilla.suse.com/977584 SUSE Bug 977584 https://bugzilla.suse.com/977614 SUSE Bug 977614 https://bugzilla.suse.com/978492 SUSE Bug 978492 https://bugzilla.suse.com/989902 SUSE Bug 989902 https://bugzilla.suse.com/990369 SUSE Bug 990369 https://bugzilla.suse.com/990370 SUSE Bug 990370 The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169. CVE-2016-2107 openSUSE Leap 42.1:nodejs-4.4.5-27.1 openSUSE Leap 42.1:nodejs-devel-4.4.5-27.1 openSUSE Leap 42.1:nodejs-docs-4.4.5-27.1 openSUSE Leap 42.1:npm-4.4.5-27.1 important 7.1 AV:N/AC:M/Au:N/C:C/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.html https://www.suse.com/security/cve/CVE-2016-2107.html CVE-2016-2107 https://bugzilla.suse.com/976942 SUSE Bug 976942 https://bugzilla.suse.com/977584 SUSE Bug 977584 https://bugzilla.suse.com/977616 SUSE Bug 977616 https://bugzilla.suse.com/978492 SUSE Bug 978492 https://bugzilla.suse.com/990369 SUSE Bug 990369 https://bugzilla.suse.com/990370 SUSE Bug 990370