Security update for nodejs4
| Announcement ID: | SUSE-SU-2017:0855-1 |
|---|---|
| Rating: | moderate |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves three vulnerabilities and has one security fix can now be installed.
Description:
This update for nodejs4 fixes the following issues:
- New upstream LTS release 4.7.3 The embedded openssl sources were updated to 1.0.2k (CVE-2017-3731, CVE-2017-3732, CVE-2016-7055, bsc#1022085, bsc#1022086, bsc#1009528)
-
No changes in LTS version 4.7.2
-
New upstream LTS release 4.7.1
- build: shared library support is now working for AIX builds
- repl: passing options to the repl will no longer overwrite defaults
-
timers: recanceling a cancelled timers will no longer throw
-
New upstream LTS version 4.7.0
- build: introduce the configure --shared option for embedders
- debugger: make listen address configurable in debugger server
- dgram: generalized send queue to handle close, fixing a potential throw when dgram socket is closed in the listening event handler
- http: introduce the 451 status code "Unavailable For Legal Reasons"
- gtest: the test reporter now outputs tap comments as yamlish
- tls: introduce secureContext for tls.connect (useful for caching client certificates, key, and CA certificates)
- tls: fix memory leak when writing data to TLSWrap instance during handshake
- src: node no longer aborts when c-ares initialization fails
-
ported and updated system CA store for the new node crypto code
-
New upstream LTS version 4.6.2
- build:
- It is now possible to build the documentation from the release tarball.
- buffer:
- Buffer.alloc() will no longer incorrectly return a zero filled buffer when an encoding is passed.
- deps:
- Upgrade npm in LTS to 2.15.11.
- repl:
- Enable tab completion for global properties.
-
url:
- url.format() will now encode all "#" in search.
-
Add missing conflicts to base package. It's not possible to have concurrent nodejs installations.
-
enable usage of system certificate store on SLE11SP4 by requiring openssl1 (bsc#1000036)
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
Web and Scripting Module 12
zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2017-476=1 -
SUSE Enterprise Storage 4
zypper in -t patch SUSE-Storage-4-2017-476=1
Package List:
-
Web and Scripting Module 12 (aarch64 ppc64le x86_64)
- nodejs4-devel-4.7.3-14.1
- nodejs4-4.7.3-14.1
- nodejs4-debugsource-4.7.3-14.1
- nodejs4-debuginfo-4.7.3-14.1
- npm4-4.7.3-14.1
-
Web and Scripting Module 12 (noarch)
- nodejs4-docs-4.7.3-14.1
-
SUSE Enterprise Storage 4 (aarch64 x86_64)
- nodejs4-debuginfo-4.7.3-14.1
- nodejs4-debugsource-4.7.3-14.1
- nodejs4-4.7.3-14.1
References:
- https://www.suse.com/security/cve/CVE-2016-7055.html
- https://www.suse.com/security/cve/CVE-2017-3731.html
- https://www.suse.com/security/cve/CVE-2017-3732.html
- https://bugzilla.suse.com/show_bug.cgi?id=1000036
- https://bugzilla.suse.com/show_bug.cgi?id=1009528
- https://bugzilla.suse.com/show_bug.cgi?id=1022085
- https://bugzilla.suse.com/show_bug.cgi?id=1022086