SUSE-SU-2018:1183-1: moderate: Security update for nodejs6

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed May 9 13:08:44 MDT 2018


   SUSE Security Update: Security update for nodejs6
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:1183-1
Rating:             moderate
References:         #1087453 #1087459 #1087463 
Cross-References:   CVE-2018-7158 CVE-2018-7159 CVE-2018-7160
                   
Affected Products:
                    SUSE OpenStack Cloud 7
                    SUSE Linux Enterprise Module for Web Scripting 12
                    SUSE Enterprise Storage 4
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for nodejs6 fixes the following issues:

   - Fix some node-gyp permissions

   - New upstream LTS release 6.14.1:
     * Security fixes:
       + CVE-2018-7160: Fix for inspector DNS rebinding vulnerability
         (bsc#1087463)
       + CVE-2018-7158: Fix for 'path' module regular expression denial of
         service (bsc#1087459)
       + CVE-2018-7159: Reject spaces in HTTP Content-Length header values
         (bsc#1087453)

   - New upstream LTS release 6.13.1:
     * http,tls: better support for IPv6 addresses
     * console: added console.count() and console.clear()
     * crypto:
       + expose ECDH class
       + added cypto.randomFill() and crypto.randomFillSync()
       + warn on invalid authentication tag length
     * deps: upgrade libuv to 1.16.1
     * dgram: added socket.setMulticastInterface()
     * http: add agent.keepSocketAlive and agent.reuseSocket as to allow
       overridable keep-alive behavior of Agent
     * lib: return this from net.Socket.end()
     * module: add builtinModules api that provides list of all builtin
       modules in Node
     * net: return this from getConnections()
     * promises: more robust stringification for unhandled rejections
     * repl: improve require() autocompletion
     * src:
       + add openssl-system-ca-path configure option
       + add --use-bundled-ca --use-openssl-ca check
       + add process.ppid
     * tls: accept lookup option for tls.connect()
     * tools,build: a new macOS installer!
     * url: WHATWG URL api support
     * util: add %i and %f formatting specifiers
   - remove any old manpage files in %pre from before update-alternatives
     were used to manage symlinks to these manpages.

   - Add Recommends and BuildRequire on python2 for npm. node-gyp requires
     this old version of python for now. This is only needed for binary
     modules.

   - even on recent codestreams there is no binutils gold on s390
     only on s390x

   - New upstream LTS release 6.12.3:
     * v8: profiler-related fixes
     * mostly documentation and test related changes

   - Enable CI tests in %check target


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2018-825=1

   - SUSE Linux Enterprise Module for Web Scripting 12:

      zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-825=1

   - SUSE Enterprise Storage 4:

      zypper in -t patch SUSE-Storage-4-2018-825=1



Package List:

   - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64):

      nodejs6-6.14.1-11.12.1
      nodejs6-debuginfo-6.14.1-11.12.1
      nodejs6-debugsource-6.14.1-11.12.1

   - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64):

      nodejs6-6.14.1-11.12.1
      nodejs6-debuginfo-6.14.1-11.12.1
      nodejs6-debugsource-6.14.1-11.12.1
      nodejs6-devel-6.14.1-11.12.1
      npm6-6.14.1-11.12.1

   - SUSE Linux Enterprise Module for Web Scripting 12 (noarch):

      nodejs6-docs-6.14.1-11.12.1

   - SUSE Enterprise Storage 4 (aarch64 x86_64):

      nodejs6-6.14.1-11.12.1
      nodejs6-debuginfo-6.14.1-11.12.1
      nodejs6-debugsource-6.14.1-11.12.1


References:

   https://www.suse.com/security/cve/CVE-2018-7158.html
   https://www.suse.com/security/cve/CVE-2018-7159.html
   https://www.suse.com/security/cve/CVE-2018-7160.html
   https://bugzilla.suse.com/1087453
   https://bugzilla.suse.com/1087459
   https://bugzilla.suse.com/1087463



More information about the sle-security-updates mailing list