openSUSE Security Update: Security update for nodejs8 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1963-1 Rating: moderate References: #1091764 #1097375 #1097401 #1097404 Cross-References: CVE-2018-1000168 CVE-2018-7161 CVE-2018-7167 Affected Products: openSUSE Leap 15.0 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for nodejs8 to version 8.11.3 fixes the following issues: These security issues were fixed: - CVE-2018-7167: Calling Buffer.fill() or Buffer.alloc() with some parameters could have lead to a hang which could have resulted in a DoS (bsc#1097375). - CVE-2018-7161: By interacting with the http2 server in a manner that triggered a cleanup bug where objects are used in native code after they are no longer available an attacker could have caused a denial of service (DoS) by causing a node server providing an http2 server to crash (bsc#1097404). - CVE-2018-1000168: Fixed a denial of service vulnerability by unbundling nghttp2 (bsc#1097401) This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2018-724=1 Package List: - openSUSE Leap 15.0 (i586 x86_64): nodejs8-8.11.3-lp150.2.3.1 nodejs8-debuginfo-8.11.3-lp150.2.3.1 nodejs8-debugsource-8.11.3-lp150.2.3.1 nodejs8-devel-8.11.3-lp150.2.3.1 npm8-8.11.3-lp150.2.3.1 - openSUSE Leap 15.0 (noarch): nodejs8-docs-8.11.3-lp150.2.3.1 References: https://www.suse.com/security/cve/CVE-2018-1000168.html https://www.suse.com/security/cve/CVE-2018-7161.html https://www.suse.com/security/cve/CVE-2018-7167.html https://bugzilla.suse.com/1091764 https://bugzilla.suse.com/1097375 https://bugzilla.suse.com/1097401 https://bugzilla.suse.com/1097404 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org