Security update for nodejs4 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0967-1 Final 1 1 2018-04-17T06:39:20Z current 2018-04-17T06:39:20Z 2018-04-17T06:39:20Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs4 This update for nodejs4 fixes the following issues: - Fix some node-gyp permissions - New upstream maintenance 4.9.1: * Security fixes: + CVE-2018-7158: Fix for 'path' module regular expression denial of service (bsc#1087459) + CVE-2018-7159: Reject spaces in HTTP Content-Length header values (bsc#1087453) * Upgrade to OpenSSL 1.0.2o * deps: reject interior blanks in Content-Length * deps: upgrade http-parser to v2.8.0 - remove any old manpage files in %pre from before update-alternatives were used to manage symlinks to these manpages. - Add Recommends and BuildRequire on python2 for npm. node-gyp requires this old version of python for now. This is only needed for binary modules. - even on recent codestreams there is no binutils gold on s390 only on s390x - Enable CI tests in %check target This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2018-04/msg00042.html E-Mail link for openSUSE-SU-2018:0967-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 nodejs4-4.9.1-14.1 nodejs4-devel-4.9.1-14.1 nodejs4-docs-4.9.1-14.1 npm4-4.9.1-14.1 nodejs4-4.9.1-14.1 as a component of openSUSE Leap 42.3 nodejs4-devel-4.9.1-14.1 as a component of openSUSE Leap 42.3 nodejs4-docs-4.9.1-14.1 as a component of openSUSE Leap 42.3 npm4-4.9.1-14.1 as a component of openSUSE Leap 42.3 The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service. CVE-2018-7158 openSUSE Leap 42.3:nodejs4-4.9.1-14.1 openSUSE Leap 42.3:nodejs4-devel-4.9.1-14.1 openSUSE Leap 42.3:nodejs4-docs-4.9.1-14.1 openSUSE Leap 42.3:npm4-4.9.1-14.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-04/msg00042.html https://www.suse.com/security/cve/CVE-2018-7158.html CVE-2018-7158 https://bugzilla.suse.com/1087459 SUSE Bug 1087459 The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete. CVE-2018-7159 openSUSE Leap 42.3:nodejs4-4.9.1-14.1 openSUSE Leap 42.3:nodejs4-devel-4.9.1-14.1 openSUSE Leap 42.3:nodejs4-docs-4.9.1-14.1 openSUSE Leap 42.3:npm4-4.9.1-14.1 low Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-04/msg00042.html https://www.suse.com/security/cve/CVE-2018-7159.html CVE-2018-7159 https://bugzilla.suse.com/1087453 SUSE Bug 1087453