Security update for nodejs4

Announcement ID:	SUSE-SU-2019:0658-1
Rating:	moderate
References:	bsc#1127080 bsc#1127532 bsc#1127533
Cross-References:	CVE-2019-1559 CVE-2019-5737 CVE-2019-5739
CVSS scores:	CVE-2019-1559 ( SUSE ): 4.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N CVE-2019-1559 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-1559 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-5737 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-5737 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-5739 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-5739 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Enterprise Storage 4 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 Web and Scripting Module 12

An update that solves three vulnerabilities can now be installed.

Description:

This update for nodejs4 fixes the following issues:

Security issues fixed:

• CVE-2019-5739: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127533).
• CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127532).
• CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Web and Scripting Module 12
  zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2019-658=1
• SUSE Enterprise Storage 4
  zypper in -t patch SUSE-Storage-4-2019-658=1

Package List:

• Web and Scripting Module 12 (aarch64 ppc64le x86_64)
  • nodejs4-debugsource-4.9.1-15.20.1
  • nodejs4-debuginfo-4.9.1-15.20.1
  • npm4-4.9.1-15.20.1
  • nodejs4-devel-4.9.1-15.20.1
  • nodejs4-4.9.1-15.20.1
• Web and Scripting Module 12 (noarch)
  • nodejs4-docs-4.9.1-15.20.1
• SUSE Enterprise Storage 4 (aarch64 x86_64)
  • nodejs4-4.9.1-15.20.1
  • nodejs4-debuginfo-4.9.1-15.20.1
  • nodejs4-debugsource-4.9.1-15.20.1

References:

• https://www.suse.com/security/cve/CVE-2019-1559.html
• https://www.suse.com/security/cve/CVE-2019-5737.html
• https://www.suse.com/security/cve/CVE-2019-5739.html
• https://bugzilla.suse.com/show_bug.cgi?id=1127080
• https://bugzilla.suse.com/show_bug.cgi?id=1127532
• https://bugzilla.suse.com/show_bug.cgi?id=1127533