SUSE-SU-2018:1918-1: moderate: Security update for nodejs8

sle-security-updates at sle-security-updates at
Mon Jul 9 07:09:12 MDT 2018

   SUSE Security Update: Security update for nodejs8

Announcement ID:    SUSE-SU-2018:1918-1
Rating:             moderate
References:         #1091764 #1097375 #1097401 #1097404 
Cross-References:   CVE-2018-1000168 CVE-2018-7161 CVE-2018-7167
Affected Products:
                    SUSE Linux Enterprise Module for Web Scripting 15

   An update that solves three vulnerabilities and has one
   errata is now available.


   This update for nodejs8 to version 8.11.3 fixes the following issues:

   These security issues were fixed:

   - CVE-2018-7167: Calling Buffer.fill() or Buffer.alloc() with some
     parameters could have lead to a hang which could have resulted in a DoS
   - CVE-2018-7161: By interacting with the http2 server in a manner that
     triggered a cleanup bug where objects are used in native code after they
     are no longer available an attacker could have caused a denial of
     service (DoS) by causing a node server providing an http2 server to
     crash (bsc#1097404).
   - CVE-2018-1000168: Fixed a denial of service vulnerability by unbundling
     nghttp2 (bsc#1097401)

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Web Scripting 15:

      zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-2018-1291=1

Package List:

   - SUSE Linux Enterprise Module for Web Scripting 15 (aarch64 ppc64le s390x x86_64):


   - SUSE Linux Enterprise Module for Web Scripting 15 (noarch):



More information about the sle-security-updates mailing list