Security update for nodejs SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2496-1 Final 1 1 2016-10-11T13:51:50Z current 2016-10-11T13:51:50Z 2016-10-11T13:51:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs This update brings the new upstream nodejs LTS version 4.6.0, fixing bugs and security issues: * Nodejs embedded openssl version update + upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183, CVE-2016-2178, CVE-2016-6306, CVE-2016-7052) + remove support for dynamic 3rd party engine modules * http: Properly validate for allowable characters in input user data. This introduces a new case where throw may occur when configuring HTTP responses, users should already be adopting try/catch here. (CVE-2016-5325, bsc#985201) * tls: properly validate wildcard certificates (CVE-2016-7099, bsc#1001652) * buffer: Zero-fill excess bytes in new Buffer objects created with Buffer.concat() The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html E-Mail link for openSUSE-SU-2016:2496-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 nodejs-4.6.0-33.1 nodejs-devel-4.6.0-33.1 nodejs-docs-4.6.0-33.1 npm-4.6.0-33.1 nodejs-4.6.0-33.1 as a component of openSUSE Leap 42.1 nodejs-devel-4.6.0-33.1 as a component of openSUSE Leap 42.1 nodejs-docs-4.6.0-33.1 as a component of openSUSE Leap 42.1 npm-4.6.0-33.1 as a component of openSUSE Leap 42.1 The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine when to expand certain memory allocations, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via crafted JavaScript code. CVE-2016-1669 openSUSE Leap 42.1:nodejs-4.6.0-33.1 openSUSE Leap 42.1:nodejs-devel-4.6.0-33.1 openSUSE Leap 42.1:nodejs-docs-4.6.0-33.1 openSUSE Leap 42.1:npm-4.6.0-33.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html https://www.suse.com/security/cve/CVE-2016-1669.html CVE-2016-1669 https://bugzilla.suse.com/979859 SUSE Bug 979859 https://bugzilla.suse.com/987919 SUSE Bug 987919 The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. CVE-2016-2178 openSUSE Leap 42.1:nodejs-4.6.0-33.1 openSUSE Leap 42.1:nodejs-devel-4.6.0-33.1 openSUSE Leap 42.1:nodejs-docs-4.6.0-33.1 openSUSE Leap 42.1:npm-4.6.0-33.1 moderate 1.2 AV:L/AC:H/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html https://www.suse.com/security/cve/CVE-2016-2178.html CVE-2016-2178 https://bugzilla.suse.com/983249 SUSE Bug 983249 https://bugzilla.suse.com/983519 SUSE Bug 983519 https://bugzilla.suse.com/999665 SUSE Bug 999665 The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. CVE-2016-2183 openSUSE Leap 42.1:nodejs-4.6.0-33.1 openSUSE Leap 42.1:nodejs-devel-4.6.0-33.1 openSUSE Leap 42.1:nodejs-docs-4.6.0-33.1 openSUSE Leap 42.1:npm-4.6.0-33.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html https://www.suse.com/security/cve/CVE-2016-2183.html CVE-2016-2183 https://bugzilla.suse.com/1001912 SUSE Bug 1001912 https://bugzilla.suse.com/1020747 SUSE Bug 1020747 https://bugzilla.suse.com/1024218 SUSE Bug 1024218 https://bugzilla.suse.com/1027038 SUSE Bug 1027038 https://bugzilla.suse.com/1034689 SUSE Bug 1034689 https://bugzilla.suse.com/1171693 SUSE Bug 1171693 https://bugzilla.suse.com/994844 SUSE Bug 994844 https://bugzilla.suse.com/995359 SUSE Bug 995359 CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument. CVE-2016-5325 openSUSE Leap 42.1:nodejs-4.6.0-33.1 openSUSE Leap 42.1:nodejs-devel-4.6.0-33.1 openSUSE Leap 42.1:nodejs-docs-4.6.0-33.1 openSUSE Leap 42.1:npm-4.6.0-33.1 moderate 4 AV:N/AC:H/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html https://www.suse.com/security/cve/CVE-2016-5325.html CVE-2016-5325 https://bugzilla.suse.com/985201 SUSE Bug 985201 https://bugzilla.suse.com/985202 SUSE Bug 985202 Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. CVE-2016-6304 openSUSE Leap 42.1:nodejs-4.6.0-33.1 openSUSE Leap 42.1:nodejs-devel-4.6.0-33.1 openSUSE Leap 42.1:nodejs-docs-4.6.0-33.1 openSUSE Leap 42.1:npm-4.6.0-33.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html https://www.suse.com/security/cve/CVE-2016-6304.html CVE-2016-6304 https://bugzilla.suse.com/1001706 SUSE Bug 1001706 https://bugzilla.suse.com/1003811 SUSE Bug 1003811 https://bugzilla.suse.com/1005579 SUSE Bug 1005579 https://bugzilla.suse.com/1021375 SUSE Bug 1021375 https://bugzilla.suse.com/999665 SUSE Bug 999665 https://bugzilla.suse.com/999666 SUSE Bug 999666 The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. CVE-2016-6306 openSUSE Leap 42.1:nodejs-4.6.0-33.1 openSUSE Leap 42.1:nodejs-devel-4.6.0-33.1 openSUSE Leap 42.1:nodejs-docs-4.6.0-33.1 openSUSE Leap 42.1:npm-4.6.0-33.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html https://www.suse.com/security/cve/CVE-2016-6306.html CVE-2016-6306 https://bugzilla.suse.com/999665 SUSE Bug 999665 https://bugzilla.suse.com/999668 SUSE Bug 999668 crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation. CVE-2016-7052 openSUSE Leap 42.1:nodejs-4.6.0-33.1 openSUSE Leap 42.1:nodejs-devel-4.6.0-33.1 openSUSE Leap 42.1:nodejs-docs-4.6.0-33.1 openSUSE Leap 42.1:npm-4.6.0-33.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html https://www.suse.com/security/cve/CVE-2016-7052.html CVE-2016-7052 https://bugzilla.suse.com/1001148 SUSE Bug 1001148 The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. CVE-2016-7099 openSUSE Leap 42.1:nodejs-4.6.0-33.1 openSUSE Leap 42.1:nodejs-devel-4.6.0-33.1 openSUSE Leap 42.1:nodejs-docs-4.6.0-33.1 openSUSE Leap 42.1:npm-4.6.0-33.1 important 8.8 AV:N/AC:M/Au:N/C:C/I:C/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html https://www.suse.com/security/cve/CVE-2016-7099.html CVE-2016-7099 https://bugzilla.suse.com/1001652 SUSE Bug 1001652