openSUSE-SU-2018:0315-1: moderate: Security update for nodejs6

openSUSE Security Update: Security update for nodejs6 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:0315-1 Rating: moderate References: #1056058 #1066242 #1072322 Cross-References: CVE-2017-14919 CVE-2017-15896 CVE-2017-3735 CVE-2017-3736 CVE-2017-3738 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for nodejs6 fixes the following issues: Security issues fixed: - CVE-2017-15896: Vulnerable to CVE-2017-3737 due to embedded OpenSSL (bsc#1072322). - CVE-2017-14919: Embedded zlib issue could cause a DoS via specific windowBits value. - CVE-2017-3738: Embedded OpenSSL is vulnerable to rsaz_1024_mul_avx2 overflow bug on x86_64. - CVE-2017-3736: Embedded OpenSSL is vulnerable to bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242). - CVE-2017-3735: Embedded OpenSSL is vulnerable to malformed X.509 IPAdressFamily that could cause OOB read (bsc#1056058). Bug fixes: - Update to LTS release 6.12.2 (bsc#1072322): * https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ * https://nodejs.org/en/blog/release/v6.12.2/ * https://nodejs.org/en/blog/release/v6.12.1/ * https://nodejs.org/en/blog/release/v6.12.0/ * https://nodejs.org/en/blog/release/v6.11.5/ * https://nodejs.org/en/blog/release/v6.11.4/ * https://nodejs.org/en/blog/release/v6.11.3/ * https://nodejs.org/en/blog/release/v6.11.2/ This update was imported from the SUSE:SLE-12:Update update project. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-116=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.3 (i586 x86_64): nodejs6-6.12.2-6.1 nodejs6-debuginfo-6.12.2-6.1 nodejs6-debugsource-6.12.2-6.1 nodejs6-devel-6.12.2-6.1 npm6-6.12.2-6.1 - openSUSE Leap 42.3 (noarch): nodejs6-docs-6.12.2-6.1 References: https://www.suse.com/security/cve/CVE-2017-14919.html https://www.suse.com/security/cve/CVE-2017-15896.html https://www.suse.com/security/cve/CVE-2017-3735.html https://www.suse.com/security/cve/CVE-2017-3736.html https://www.suse.com/security/cve/CVE-2017-3738.html https://bugzilla.suse.com/1056058 https://bugzilla.suse.com/1066242 https://bugzilla.suse.com/1072322