SUSE-SU-2018:0952-1: moderate: Security update for nodejs4

sle-security-updates at sle-security-updates at
Mon Apr 16 13:07:44 MDT 2018

   SUSE Security Update: Security update for nodejs4

Announcement ID:    SUSE-SU-2018:0952-1
Rating:             moderate
References:         #1087453 #1087459 
Cross-References:   CVE-2018-7158 CVE-2018-7159
Affected Products:
                    SUSE Linux Enterprise Module for Web Scripting 12
                    SUSE Enterprise Storage 4

   An update that fixes two vulnerabilities is now available.


   This update for nodejs4 fixes the following issues:

   - Fix some node-gyp permissions

   - New upstream maintenance 4.9.1:
     * Security fixes:
       + CVE-2018-7158: Fix for 'path' module regular expression denial of
         service (bsc#1087459)
       + CVE-2018-7159: Reject spaces in HTTP Content-Length header values
     * Upgrade to OpenSSL 1.0.2o
     * deps: reject interior blanks in Content-Length
     * deps: upgrade http-parser to v2.8.0

   - remove any old manpage files in %pre from before update-alternatives
     were used to manage symlinks to these manpages.

   - Add Recommends and BuildRequire on python2 for npm. node-gyp requires
     this old version of python for now. This is only needed for binary

   - even on recent codestreams there is no binutils gold on s390
     only on s390x

   - Enable CI tests in %check target

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Web Scripting 12:

      zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-649=1

   - SUSE Enterprise Storage 4:

      zypper in -t patch SUSE-Storage-4-2018-649=1

Package List:

   - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le x86_64):


   - SUSE Linux Enterprise Module for Web Scripting 12 (noarch):


   - SUSE Enterprise Storage 4 (aarch64 x86_64):



More information about the sle-security-updates mailing list