SUSE-SU-2018:0002-1: moderate: Security update for nodejs4

[sle-updates at lists.suse.com]

   SUSE Security Update: Security update for nodejs4
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:0002-1
Rating:             moderate
References:         #1056058 #1066242 #1072322 
Cross-References:   CVE-2017-14919 CVE-2017-15896 CVE-2017-3735
                    CVE-2017-3736 CVE-2017-3738
Affected Products:
                    SUSE Linux Enterprise Module for Web Scripting 12
                    SUSE Enterprise Storage 4
______________________________________________________________________________

   An update that fixes 5 vulnerabilities is now available.

Description:

   This update for nodejs4 fixes the following issues:

   Security issues fixed:

   - CVE-2017-15896: Vulnerable to CVE-2017-3737 due to embedded OpenSSL
     (bsc#1072322).
   - CVE-2017-14919: Embedded zlib issue could cause a DoS via specific
     windowBits value.
   - CVE-2017-3738: Embedded OpenSSL is vulnerable to rsaz_1024_mul_avx2
     overflow bug on x86_64.
   - CVE-2017-3736: Embedded OpenSSL is vulnerable to bn_sqrx8x_internal
     carry bug on x86_64 (bsc#1066242).
   - CVE-2017-3735: Embedded OpenSSL is vulnerable to malformed X.509
     IPAdressFamily that could cause OOB read (bsc#1056058).

   Bug fixes:

   - Update to release 4.8.7 (bsc#1072322):
     *
   https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/

     * https://nodejs.org/en/blog/release/v4.8.7/
     * https://nodejs.org/en/blog/release/v4.8.6/
     * https://nodejs.org/en/blog/release/v4.8.5/


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Web Scripting 12:

      zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-2=1

   - SUSE Enterprise Storage 4:

      zypper in -t patch SUSE-Storage-4-2018-2=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le x86_64):

      nodejs4-4.8.7-15.8.1
      nodejs4-debuginfo-4.8.7-15.8.1
      nodejs4-debugsource-4.8.7-15.8.1
      nodejs4-devel-4.8.7-15.8.1
      npm4-4.8.7-15.8.1

   - SUSE Linux Enterprise Module for Web Scripting 12 (noarch):

      nodejs4-docs-4.8.7-15.8.1

   - SUSE Enterprise Storage 4 (aarch64 x86_64):

      nodejs4-4.8.7-15.8.1
      nodejs4-debuginfo-4.8.7-15.8.1
      nodejs4-debugsource-4.8.7-15.8.1


References:

   https://www.suse.com/security/cve/CVE-2017-14919.html
   https://www.suse.com/security/cve/CVE-2017-15896.html
   https://www.suse.com/security/cve/CVE-2017-3735.html
   https://www.suse.com/security/cve/CVE-2017-3736.html
   https://www.suse.com/security/cve/CVE-2017-3738.html
   https://bugzilla.suse.com/1056058
   https://bugzilla.suse.com/1066242
   https://bugzilla.suse.com/1072322