Security update for nodejs4

Announcement ID:	SUSE-SU-2016:2470-1
Rating:	important
References:	bsc#1001652 bsc#985201
Cross-References:	CVE-2016-2178 CVE-2016-2183 CVE-2016-5325 CVE-2016-6304 CVE-2016-6306 CVE-2016-7052 CVE-2016-7099
CVSS scores:	CVE-2016-2178 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2016-2178 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2016-2183 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2016-2183 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2016-5325 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2016-6304 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-6304 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-6306 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-6306 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-7052 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-7052 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-7099 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 Web and Scripting Module 12

An update that solves seven vulnerabilities can now be installed.

Description:

This update brings the new upstream nodejs LTS version 4.6.0, fixing bugs and security issues:

• Nodejs embedded openssl version update
  • upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183, CVE-2016-2178, CVE-2016-6306, CVE-2016-7052)
  • remove support for dynamic 3rd party engine modules
• http: Properly validate for allowable characters in input user data. This introduces a new case where throw may occur when configuring HTTP responses, users should already be adopting try/catch here. (CVE-2016-5325, bsc#985201)
• tls: properly validate wildcard certificates (CVE-2016-7099, bsc#1001652)
• buffer: Zero-fill excess bytes in new Buffer objects created with Buffer.concat()

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Web and Scripting Module 12
  zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-1439=1

Package List:

• Web and Scripting Module 12 (aarch64 ppc64le x86_64)
  • nodejs4-debugsource-4.6.0-8.1
  • nodejs4-4.6.0-8.1
  • nodejs4-devel-4.6.0-8.1
  • nodejs4-debuginfo-4.6.0-8.1
  • npm4-4.6.0-8.1
• Web and Scripting Module 12 (noarch)
  • nodejs4-docs-4.6.0-8.1

References:

• https://www.suse.com/security/cve/CVE-2016-2178.html
• https://www.suse.com/security/cve/CVE-2016-2183.html
• https://www.suse.com/security/cve/CVE-2016-5325.html
• https://www.suse.com/security/cve/CVE-2016-6304.html
• https://www.suse.com/security/cve/CVE-2016-6306.html
• https://www.suse.com/security/cve/CVE-2016-7052.html
• https://www.suse.com/security/cve/CVE-2016-7099.html
• https://bugzilla.suse.com/show_bug.cgi?id=1001652
• https://bugzilla.suse.com/show_bug.cgi?id=985201