SUSE-SU-2017:2168-1: moderate: Security update for nodejs4, nodejs6

sle-updates at lists.suse.com sle-updates at lists.suse.com
Tue Aug 15 10:08:37 MDT 2017 

   SUSE Security Update: Security update for nodejs4, nodejs6
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:2168-1
Rating:             moderate
References:         #1041282 #1041283 #1044946 #1048299 
Cross-References:   CVE-2017-1000381 CVE-2017-11499
Affected Products:
                    SUSE OpenStack Cloud 7
                    SUSE Linux Enterprise Module for Web Scripting 12
                    SUSE Enterprise Storage 4
______________________________________________________________________________

   An update that solves two vulnerabilities and has two fixes
   is now available.

Description:

   This update for nodejs4 and nodejs6 fixes the following issues:

   Security issues fixed:

   - CVE-2017-1000381: The c-ares function ares_parse_naptr_reply() could be
     triggered to read memory
     outside of the given input buffer if the passed in DNS response packet
      was crafted in a particular way. (bsc#1044946)
   - CVE-2017-11499: Disable V8 snapshots. The hashseed embedded in the
     snapshot is currently the same for all runs of the binary. This opens
     node up to collision attacks which could result in a Denial
     of Service. We have temporarily disabled snapshots until a more robust
      solution is found. (bsc#1048299)

   Non-security fixes:

   - GCC 7 compilation fixes for v8 backported and add missing ICU59 headers
     (bsc#1041282)
   - New upstream LTS release 6.11.1
     *
   https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6
       .11.1
   - New upstream LTS release 6.11.0
     *
   https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6
       .11.0
   - New upstream LTS release 6.10.3
     *
   https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6
       .10.3
   - New upstream LTS release 6.10.2
     *
   https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6
       .10.2
   - New upstream LTS release 6.10.1
     *
   https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6
       .10.1
   - New upstream LTS release 6.10.0
     *
   https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6
       .10.0

   - New upstream LTS release 4.8.4
     *
   https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V4.md#4
       .8.4
   - New upstream LTS release 4.8.3
     *
   https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V4.md#4
       .8.3
   - New upstream LTS release 4.8.2
     *
   https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V4.md#4
       .8.2
   - New upstream LTS release 4.8.1
     *
   https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V4.md#4
       .8.1
   - New upstream LTS release 4.8.0
     *
   https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V4.md#4
       .8.0


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2017-1331=1

   - SUSE Linux Enterprise Module for Web Scripting 12:

      zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2017-1331=1

   - SUSE Enterprise Storage 4:

      zypper in -t patch SUSE-Storage-4-2017-1331=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64):

      nodejs6-6.11.1-11.5.1
      nodejs6-debuginfo-6.11.1-11.5.1
      nodejs6-debugsource-6.11.1-11.5.1

   - SUSE OpenStack Cloud 7 (noarch):

      nodejs-common-1.0-2.1

   - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64):

      nodejs6-6.11.1-11.5.1
      nodejs6-debuginfo-6.11.1-11.5.1
      nodejs6-debugsource-6.11.1-11.5.1
      nodejs6-devel-6.11.1-11.5.1
      npm6-6.11.1-11.5.1

   - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le x86_64):

      nodejs4-4.8.4-15.5.1
      nodejs4-debuginfo-4.8.4-15.5.1
      nodejs4-debugsource-4.8.4-15.5.1
      nodejs4-devel-4.8.4-15.5.1
      npm4-4.8.4-15.5.1

   - SUSE Linux Enterprise Module for Web Scripting 12 (noarch):

      nodejs-common-1.0-2.1
      nodejs4-docs-4.8.4-15.5.1
      nodejs6-docs-6.11.1-11.5.1

   - SUSE Enterprise Storage 4 (aarch64 x86_64):

      nodejs4-4.8.4-15.5.1
      nodejs4-debuginfo-4.8.4-15.5.1
      nodejs4-debugsource-4.8.4-15.5.1
      nodejs6-6.11.1-11.5.1
      nodejs6-debuginfo-6.11.1-11.5.1
      nodejs6-debugsource-6.11.1-11.5.1

   - SUSE Enterprise Storage 4 (noarch):

      nodejs-common-1.0-2.1


References:

   https://www.suse.com/security/cve/CVE-2017-1000381.html
   https://www.suse.com/security/cve/CVE-2017-11499.html
   https://bugzilla.suse.com/1041282
   https://bugzilla.suse.com/1041283
   https://bugzilla.suse.com/1044946
   https://bugzilla.suse.com/1048299

More information about the sle-updates mailing list