Security update for nodejs4

SUSE Security Update: Security update for nodejs4
Announcement ID: SUSE-SU-2018:0002-1
Rating: moderate
References: #1056058 #1066242 #1072322
Affected Products:
  • SUSE Linux Enterprise Module for Web Scripting 12
  • SUSE Enterprise Storage 4

  • An update that fixes 5 vulnerabilities is now available.

    Description:

    This update for nodejs4 fixes the following issues:

    Security issues fixed:

    - CVE-2017-15896: Vulnerable to CVE-2017-3737 due to embedded OpenSSL
    (bsc#1072322).
    - CVE-2017-14919: Embedded zlib issue could cause a DoS via specific
    windowBits value.
    - CVE-2017-3738: Embedded OpenSSL is vulnerable to rsaz_1024_mul_avx2
    overflow bug on x86_64.
    - CVE-2017-3736: Embedded OpenSSL is vulnerable to bn_sqrx8x_internal
    carry bug on x86_64 (bsc#1066242).
    - CVE-2017-3735: Embedded OpenSSL is vulnerable to malformed X.509
    IPAdressFamily that could cause OOB read (bsc#1056058).

    Bug fixes:

    - Update to release 4.8.7 (bsc#1072322):
    *
    https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/

    * https://nodejs.org/en/blog/release/v4.8.7/
    * https://nodejs.org/en/blog/release/v4.8.6/
    * https://nodejs.org/en/blog/release/v4.8.5/

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Module for Web Scripting 12:
      zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-2=1
    • SUSE Enterprise Storage 4:
      zypper in -t patch SUSE-Storage-4-2018-2=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le x86_64):
      • nodejs4-4.8.7-15.8.1
      • nodejs4-debuginfo-4.8.7-15.8.1
      • nodejs4-debugsource-4.8.7-15.8.1
      • nodejs4-devel-4.8.7-15.8.1
      • npm4-4.8.7-15.8.1
    • SUSE Linux Enterprise Module for Web Scripting 12 (noarch):
      • nodejs4-docs-4.8.7-15.8.1
    • SUSE Enterprise Storage 4 (aarch64 x86_64):
      • nodejs4-4.8.7-15.8.1
      • nodejs4-debuginfo-4.8.7-15.8.1
      • nodejs4-debugsource-4.8.7-15.8.1

    References: