SUSE-SU-2017:0855-1: moderate: Security update for nodejs4

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Mar 29 10:13:34 MDT 2017


   SUSE Security Update: Security update for nodejs4
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:0855-1
Rating:             moderate
References:         #1000036 #1009528 #1022085 #1022086 
Cross-References:   CVE-2016-7055 CVE-2017-3731 CVE-2017-3732
                   
Affected Products:
                    SUSE Linux Enterprise Module for Web Scripting 12
                    SUSE Enterprise Storage 4
______________________________________________________________________________

   An update that solves three vulnerabilities and has one
   errata is now available.

Description:


   This update for nodejs4 fixes the following issues:

   - New upstream LTS release 4.7.3 The embedded openssl sources were updated
     to 1.0.2k (CVE-2017-3731, CVE-2017-3732, CVE-2016-7055, bsc#1022085,
     bsc#1022086, bsc#1009528)
   - No changes in LTS version 4.7.2

   - New upstream LTS release 4.7.1
     * build: shared library support is now working for AIX builds
     * repl: passing options to the repl will no longer overwrite defaults
     * timers: recanceling a cancelled timers will no longer throw

   - New upstream LTS version 4.7.0
     * build: introduce the configure --shared option for embedders
     * debugger: make listen address configurable in debugger server
     * dgram: generalized send queue to handle close, fixing a potential
       throw when dgram socket is closed in the listening event handler
     * http: introduce the 451 status code "Unavailable For Legal Reasons"
     * gtest: the test reporter now outputs tap comments as yamlish
     * tls: introduce secureContext for tls.connect (useful for caching
       client certificates, key, and CA certificates)
     * tls: fix memory leak when writing data to TLSWrap instance during
       handshake
     * src: node no longer aborts when c-ares initialization fails
     * ported and updated system CA store for the new node crypto code

   - New upstream LTS version 4.6.2
     * build:
       + It is now possible to build the documentation from the release
         tarball.
     * buffer:
       + Buffer.alloc() will no longer incorrectly return a zero filled
         buffer when an encoding is passed.
     * deps:
       + Upgrade npm in LTS to 2.15.11.
     * repl:
       + Enable tab completion for global properties.
     * url:
       + url.format() will now encode all "#" in search.

   - Add missing conflicts to base package. It's not possible to have
     concurrent nodejs installations.

   - enable usage of system certificate store on SLE11SP4 by requiring
     openssl1 (bsc#1000036)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Web Scripting 12:

      zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2017-476=1

   - SUSE Enterprise Storage 4:

      zypper in -t patch SUSE-Storage-4-2017-476=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le x86_64):

      nodejs4-4.7.3-14.1
      nodejs4-debuginfo-4.7.3-14.1
      nodejs4-debugsource-4.7.3-14.1
      nodejs4-devel-4.7.3-14.1
      npm4-4.7.3-14.1

   - SUSE Linux Enterprise Module for Web Scripting 12 (noarch):

      nodejs4-docs-4.7.3-14.1

   - SUSE Enterprise Storage 4 (aarch64 x86_64):

      nodejs4-4.7.3-14.1
      nodejs4-debuginfo-4.7.3-14.1
      nodejs4-debugsource-4.7.3-14.1


References:

   https://www.suse.com/security/cve/CVE-2016-7055.html
   https://www.suse.com/security/cve/CVE-2017-3731.html
   https://www.suse.com/security/cve/CVE-2017-3732.html
   https://bugzilla.suse.com/1000036
   https://bugzilla.suse.com/1009528
   https://bugzilla.suse.com/1022085
   https://bugzilla.suse.com/1022086



More information about the sle-security-updates mailing list