Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2018:0967-1

Опубликовано: 17 апр. 2018
Источник: suse-cvrf

Описание

Security update for nodejs4

This update for nodejs4 fixes the following issues:

  • Fix some node-gyp permissions

  • New upstream maintenance 4.9.1:

    • Security fixes:
      • CVE-2018-7158: Fix for 'path' module regular expression denial of service (bsc#1087459)
      • CVE-2018-7159: Reject spaces in HTTP Content-Length header values (bsc#1087453)
    • Upgrade to OpenSSL 1.0.2o
    • deps: reject interior blanks in Content-Length
    • deps: upgrade http-parser to v2.8.0

  • remove any old manpage files in %pre from before update-alternatives were used to manage symlinks to these manpages.

  • Add Recommends and BuildRequire on python2 for npm. node-gyp requires this old version of python for now. This is only needed for binary modules.

  • even on recent codestreams there is no binutils gold on s390 only on s390x

  • Enable CI tests in %check target

This update was imported from the SUSE:SLE-12:Update update project.

Список пакетов

openSUSE Leap 42.3
nodejs4-4.9.1-14.1
nodejs4-devel-4.9.1-14.1
nodejs4-docs-4.9.1-14.1
npm4-4.9.1-14.1

Ссылки

Описание

The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.

Затронутые продукты
openSUSE Leap 42.3:nodejs4-4.9.1-14.1
openSUSE Leap 42.3:nodejs4-devel-4.9.1-14.1
openSUSE Leap 42.3:nodejs4-docs-4.9.1-14.1
openSUSE Leap 42.3:npm4-4.9.1-14.1
Ссылки

Описание

The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.

Затронутые продукты
openSUSE Leap 42.3:nodejs4-4.9.1-14.1
openSUSE Leap 42.3:nodejs4-devel-4.9.1-14.1
openSUSE Leap 42.3:nodejs4-docs-4.9.1-14.1
openSUSE Leap 42.3:npm4-4.9.1-14.1
Ссылки