Security update for nodejs4 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:0952-1 Final 1 1 2018-04-16T15:32:06Z current 2018-04-16T15:32:06Z 2018-04-16T15:32:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs4 This update for nodejs4 fixes the following issues: - Fix some node-gyp permissions - New upstream maintenance 4.9.1: * Security fixes: + CVE-2018-7158: Fix for 'path' module regular expression denial of service (bsc#1087459) + CVE-2018-7159: Reject spaces in HTTP Content-Length header values (bsc#1087453) * Upgrade to OpenSSL 1.0.2o * deps: reject interior blanks in Content-Length * deps: upgrade http-parser to v2.8.0 - remove any old manpage files in %pre from before update-alternatives were used to manage symlinks to these manpages. - Add Recommends and BuildRequire on python2 for npm. node-gyp requires this old version of python for now. This is only needed for binary modules. - even on recent codestreams there is no binutils gold on s390 only on s390x - Enable CI tests in %check target The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Module-Web-Scripting-12-2018-649,SUSE-Storage-4-2018-649 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20180952-1/ Link for SUSE-SU-2018:0952-1 https://lists.suse.com/pipermail/sle-security-updates/2018-April/003892.html E-Mail link for SUSE-SU-2018:0952-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1087453 SUSE Bug 1087453 https://bugzilla.suse.com/1087459 SUSE Bug 1087459 https://www.suse.com/security/cve/CVE-2018-7158/ SUSE CVE CVE-2018-7158 page https://www.suse.com/security/cve/CVE-2018-7159/ SUSE CVE CVE-2018-7159 page SUSE Enterprise Storage 4 SUSE Linux Enterprise Module for Web and Scripting 12 nodejs4-4.9.1-15.11.1 nodejs4-devel-4.9.1-15.11.1 nodejs4-docs-4.9.1-15.11.1 npm4-4.9.1-15.11.1 nodejs4-4.9.1-15.11.1 as a component of SUSE Enterprise Storage 4 nodejs4-4.9.1-15.11.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 nodejs4-devel-4.9.1-15.11.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 nodejs4-docs-4.9.1-15.11.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 npm4-4.9.1-15.11.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service. CVE-2018-7158 SUSE Enterprise Storage 4:nodejs4-4.9.1-15.11.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.11.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.11.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.11.1 SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.11.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180952-1/ https://www.suse.com/security/cve/CVE-2018-7158.html CVE-2018-7158 https://bugzilla.suse.com/1087459 SUSE Bug 1087459 The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete. CVE-2018-7159 SUSE Enterprise Storage 4:nodejs4-4.9.1-15.11.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.11.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.11.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.11.1 SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.11.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180952-1/ https://www.suse.com/security/cve/CVE-2018-7159.html CVE-2018-7159 https://bugzilla.suse.com/1087453 SUSE Bug 1087453