[security-announce] openSUSE-SU-2016:1566-1: important: Security update for nodejs

[news 28]

openSUSE Security Update: Security update for nodejs

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2016:1566-1

Rating: important

References: #968047 #968048 #968050 #977614 #977616

Cross-References: CVE-2016-0702 CVE-2016-0705 CVE-2016-0797

CVE-2016-2105 CVE-2016-2107

Affected Products:

openSUSE Leap 42.1

openSUSE 13.2

______________________________________________________________________________

 

An update that fixes 5 vulnerabilities is now available.

 

Description:

 

This update for nodejs to version 4.4.5 fixes the several issues.

 

These security issues introduced by the bundled openssl were fixed by

going to version 1.0.2h:

- CVE-2016-2107: The AES-NI implementation in OpenSSL did not consider

memory allocation during a certain padding check, which allowed remote

attackers to obtain sensitive cleartext information via a padding-oracle

attack against an AES CBC session (bsc#977616).

- CVE-2016-2105: Integer overflow in the EVP_EncodeUpdate function in

crypto/evp/encode.c in OpenSSL allowed remote attackers to cause a

denial of service (heap memory corruption) via a large amount of binary

data (bsc#977614).

- CVE-2016-0705: Double free vulnerability in the dsa_priv_decode function

in crypto/dsa/dsa_ameth.c in OpenSSL allowed remote attackers to cause a

denial of service (memory corruption) or possibly have unspecified other

impact via a malformed DSA private key (bsc#968047).

- CVE-2016-0797: Multiple integer overflows in OpenSSL allowed remote

attackers to cause a denial of service (heap memory corruption or NULL

pointer dereference) or possibly have unspecified other impact via a

long digit string that is mishandled by the (1) BN_dec2bn or (2)

BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c

(bsc#968048).

- CVE-2016-0702: The MOD_EXP_CTIME_COPY_FROM_PREBUF function in

crypto/bn/bn_exp.c in OpenSSL did not properly consider cache-bank

access times during modular exponentiation, which made it easier for

local users to discover RSA keys by running a crafted application on the

same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank

conflicts, aka a "CacheBleed" attack (bsc#968050).

 

These non-security issues were fixed:

- Fix faulty "if" condition (string cannot equal a boolean).

- buffer: Buffer no longer errors if you call lastIndexOf with a search

term longer than the buffer.

- contextify: Context objects are now properly garbage collected, this

solves a problem some individuals were experiencing with extreme memory

growth.

- Update npm to 2.15.5.

- http: Invalid status codes can no longer be sent. Limited to 3 digit

numbers between 100 - 999.

- deps: Fix --gdbjit for embedders. Backported from v8 upstream.

- querystring: Restore throw when attempting to stringify bad surrogate

pair.

- https: Under certain conditions SSL sockets may have been causing a

memory leak when keepalive is enabled. This is no longer the case.

- lib: The way that we were internally passing arguments was causing a

potential leak. By copying the arguments into an array we can avoid this.

- repl: Previously if you were using the repl in strict mode the column

number would be wrong in a stack trace. This is no longer an issue.

- deps: An update to v8 that introduces a new flag

--perf_basic_prof_only_functions.

- http: A new feature in http(s) agent that catches errors on keep alived

connections.

- src: Better support for big-endian systems.

- tls: A new feature that allows you to pass common SSL options to

tls.createSecurePair.

- build: Support python path that includes spaces.

- https: A potential fix for #3692 (HTTP/HTTPS client requests throwing

EPROTO).

- installer: More readable profiling information from isolate tick logs.

- process: Add support for symbols in event emitters (symbols didn't exist

when it was written).

- querystring: querystring.parse() is now 13-22% faster!

- streams: Performance improvements for moving small buffers that shows a

5% throughput gain. IoT projects have been seen to be as much as 10%

faster with this change!

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE Leap 42.1:

 

zypper in -t patch openSUSE-2016-715=1

 

- openSUSE 13.2:

 

zypper in -t patch openSUSE-2016-715=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE Leap 42.1 (i586 x86_64):

 

nodejs-4.4.5-27.1

nodejs-debuginfo-4.4.5-27.1

nodejs-debugsource-4.4.5-27.1

nodejs-devel-4.4.5-27.1

npm-4.4.5-27.1

 

- openSUSE Leap 42.1 (noarch):

 

nodejs-docs-4.4.5-27.1

 

- openSUSE 13.2 (i586 x86_64):

 

nodejs-4.4.5-18.1

nodejs-debuginfo-4.4.5-18.1

nodejs-debugsource-4.4.5-18.1

nodejs-devel-4.4.5-18.1

 

- openSUSE 13.2 (noarch):

 

nodejs-doc-4.4.5-18.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2016-0702.html

https://www.suse.com/security/cve/CVE-2016-0705.html

https://www.suse.com/security/cve/CVE-2016-0797.html

https://www.suse.com/security/cve/CVE-2016-2105.html

https://www.suse.com/security/cve/CVE-2016-2107.html

https://bugzilla.suse.com/968047

https://bugzilla.suse.com/968048

https://bugzilla.suse.com/968050

https://bugzilla.suse.com/977614

https://bugzilla.suse.com/977616

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org