SUSE-SU-2018:0952-1: moderate: Security update for nodejs4

[sle-security-updates at lists.suse.com]

   SUSE Security Update: Security update for nodejs4
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:0952-1
Rating:             moderate
References:         #1087453 #1087459 
Cross-References:   CVE-2018-7158 CVE-2018-7159
Affected Products:
                    SUSE Linux Enterprise Module for Web Scripting 12
                    SUSE Enterprise Storage 4
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for nodejs4 fixes the following issues:

   - Fix some node-gyp permissions

   - New upstream maintenance 4.9.1:
     * Security fixes:
       + CVE-2018-7158: Fix for 'path' module regular expression denial of
         service (bsc#1087459)
       + CVE-2018-7159: Reject spaces in HTTP Content-Length header values
         (bsc#1087453)
     * Upgrade to OpenSSL 1.0.2o
     * deps: reject interior blanks in Content-Length
     * deps: upgrade http-parser to v2.8.0

   - remove any old manpage files in %pre from before update-alternatives
     were used to manage symlinks to these manpages.

   - Add Recommends and BuildRequire on python2 for npm. node-gyp requires
     this old version of python for now. This is only needed for binary
     modules.

   - even on recent codestreams there is no binutils gold on s390
     only on s390x

   - Enable CI tests in %check target


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Web Scripting 12:

      zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-649=1

   - SUSE Enterprise Storage 4:

      zypper in -t patch SUSE-Storage-4-2018-649=1



Package List:

   - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le x86_64):

      nodejs4-4.9.1-15.11.1
      nodejs4-debuginfo-4.9.1-15.11.1
      nodejs4-debugsource-4.9.1-15.11.1
      nodejs4-devel-4.9.1-15.11.1
      npm4-4.9.1-15.11.1

   - SUSE Linux Enterprise Module for Web Scripting 12 (noarch):

      nodejs4-docs-4.9.1-15.11.1

   - SUSE Enterprise Storage 4 (aarch64 x86_64):

      nodejs4-4.9.1-15.11.1
      nodejs4-debuginfo-4.9.1-15.11.1
      nodejs4-debugsource-4.9.1-15.11.1


References:

   https://www.suse.com/security/cve/CVE-2018-7158.html
   https://www.suse.com/security/cve/CVE-2018-7159.html
   https://bugzilla.suse.com/1087453
   https://bugzilla.suse.com/1087459