Security update for nodejs4

SUSE Security Update: Security update for nodejs4
Announcement ID: SUSE-SU-2017:0855-1
Rating: moderate
References: #1000036 #1009528 #1022085 #1022086
Affected Products:
  • SUSE Linux Enterprise Module for Web Scripting 12
  • SUSE Enterprise Storage 4

  • An update that solves three vulnerabilities and has one errata is now available.


    This update for nodejs4 fixes the following issues:

    - New upstream LTS release 4.7.3 The embedded openssl sources were updated
    to 1.0.2k (CVE-2017-3731, CVE-2017-3732, CVE-2016-7055, bsc#1022085,
    bsc#1022086, bsc#1009528)
    - No changes in LTS version 4.7.2

    - New upstream LTS release 4.7.1
    * build: shared library support is now working for AIX builds
    * repl: passing options to the repl will no longer overwrite defaults
    * timers: recanceling a cancelled timers will no longer throw

    - New upstream LTS version 4.7.0
    * build: introduce the configure --shared option for embedders
    * debugger: make listen address configurable in debugger server
    * dgram: generalized send queue to handle close, fixing a potential
    throw when dgram socket is closed in the listening event handler
    * http: introduce the 451 status code "Unavailable For Legal Reasons"
    * gtest: the test reporter now outputs tap comments as yamlish
    * tls: introduce secureContext for tls.connect (useful for caching
    client certificates, key, and CA certificates)
    * tls: fix memory leak when writing data to TLSWrap instance during
    * src: node no longer aborts when c-ares initialization fails
    * ported and updated system CA store for the new node crypto code

    - New upstream LTS version 4.6.2
    * build:
    + It is now possible to build the documentation from the release
    * buffer:
    + Buffer.alloc() will no longer incorrectly return a zero filled
    buffer when an encoding is passed.
    * deps:
    + Upgrade npm in LTS to 2.15.11.
    * repl:
    + Enable tab completion for global properties.
    * url:
    + url.format() will now encode all "#" in search.

    - Add missing conflicts to base package. It's not possible to have
    concurrent nodejs installations.

    - enable usage of system certificate store on SLE11SP4 by requiring
    openssl1 (bsc#1000036)

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Module for Web Scripting 12:
      zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2017-476=1
    • SUSE Enterprise Storage 4:
      zypper in -t patch SUSE-Storage-4-2017-476=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le x86_64):
      • nodejs4-4.7.3-14.1
      • nodejs4-debuginfo-4.7.3-14.1
      • nodejs4-debugsource-4.7.3-14.1
      • nodejs4-devel-4.7.3-14.1
      • npm4-4.7.3-14.1
    • SUSE Linux Enterprise Module for Web Scripting 12 (noarch):
      • nodejs4-docs-4.7.3-14.1
    • SUSE Enterprise Storage 4 (aarch64 x86_64):
      • nodejs4-4.7.3-14.1
      • nodejs4-debuginfo-4.7.3-14.1
      • nodejs4-debugsource-4.7.3-14.1