Описание
Security update for nodejs6
This update for nodejs6 fixes the following issues:
-
Fix some node-gyp permissions
-
New upstream LTS release 6.14.1:
- Security fixes:
- CVE-2018-7160: Fix for inspector DNS rebinding vulnerability (bsc#1087463)
- CVE-2018-7158: Fix for 'path' module regular expression denial of service (bsc#1087459)
- CVE-2018-7159: Reject spaces in HTTP Content-Length header values (bsc#1087453)
- Security fixes:
-
New upstream LTS release 6.13.1:
- http,tls: better support for IPv6 addresses
- console: added console.count() and console.clear()
- crypto:
- expose ECDH class
- added cypto.randomFill() and crypto.randomFillSync()
- warn on invalid authentication tag length
- deps: upgrade libuv to 1.16.1
- dgram: added socket.setMulticastInterface()
- http: add agent.keepSocketAlive and agent.reuseSocket as to allow overridable keep-alive behavior of Agent
- lib: return this from net.Socket.end()
- module: add builtinModules api that provides list of all builtin modules in Node
- net: return this from getConnections()
- promises: more robust stringification for unhandled rejections
- repl: improve require() autocompletion
- src:
- add openssl-system-ca-path configure option
- add --use-bundled-ca --use-openssl-ca check
- add process.ppid
- tls: accept lookup option for tls.connect()
- tools,build: a new macOS installer!
- url: WHATWG URL api support
- util: add %i and %f formatting specifiers
-
remove any old manpage files in %pre from before update-alternatives were used to manage symlinks to these manpages.
-
Add Recommends and BuildRequire on python2 for npm. node-gyp requires this old version of python for now. This is only needed for binary modules.
-
even on recent codestreams there is no binutils gold on s390 only on s390x
-
New upstream LTS release 6.12.3:
- v8: profiler-related fixes
- mostly documentation and test related changes
-
Enable CI tests in %check target
Список пакетов
SUSE Enterprise Storage 4
SUSE Linux Enterprise Module for Web and Scripting 12
SUSE OpenStack Cloud 7
Ссылки
- Link for SUSE-SU-2018:1183-1
- E-Mail link for SUSE-SU-2018:1183-1
- SUSE Security Ratings
- SUSE Bug 1087453
- SUSE Bug 1087459
- SUSE Bug 1087463
- SUSE CVE CVE-2018-7158 page
- SUSE CVE CVE-2018-7159 page
- SUSE CVE CVE-2018-7160 page
Описание
The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.
Затронутые продукты
Ссылки
- CVE-2018-7158
- SUSE Bug 1087459
Описание
The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.
Затронутые продукты
Ссылки
- CVE-2018-7159
- SUSE Bug 1087453
Описание
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.
Затронутые продукты
Ссылки
- CVE-2018-7160
- SUSE Bug 1087463
- SUSE Bug 1182620