openSUSE Security Update: Security update for nodejs ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:1566-1 Rating: important References: #968047 #968048 #968050 #977614 #977616 Cross-References: CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 CVE-2016-2105 CVE-2016-2107 Affected Products: openSUSE Leap 42.1 openSUSE 13.2 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for nodejs to version 4.4.5 fixes the several issues. These security issues introduced by the bundled openssl were fixed by going to version 1.0.2h: - CVE-2016-2107: The AES-NI implementation in OpenSSL did not consider memory allocation during a certain padding check, which allowed remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session (bsc#977616). - CVE-2016-2105: Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL allowed remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data (bsc#977614). - CVE-2016-0705: Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL allowed remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key (bsc#968047). - CVE-2016-0797: Multiple integer overflows in OpenSSL allowed remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c (bsc#968048). - CVE-2016-0702: The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL did not properly consider cache-bank access times during modular exponentiation, which made it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack (bsc#968050). These non-security issues were fixed: - Fix faulty "if" condition (string cannot equal a boolean). - buffer: Buffer no longer errors if you call lastIndexOf with a search term longer than the buffer. - contextify: Context objects are now properly garbage collected, this solves a problem some individuals were experiencing with extreme memory growth. - Update npm to 2.15.5. - http: Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999. - deps: Fix --gdbjit for embedders. Backported from v8 upstream. - querystring: Restore throw when attempting to stringify bad surrogate pair. - https: Under certain conditions SSL sockets may have been causing a memory leak when keepalive is enabled. This is no longer the case. - lib: The way that we were internally passing arguments was causing a potential leak. By copying the arguments into an array we can avoid this. - repl: Previously if you were using the repl in strict mode the column number would be wrong in a stack trace. This is no longer an issue. - deps: An update to v8 that introduces a new flag --perf_basic_prof_only_functions. - http: A new feature in http(s) agent that catches errors on keep alived connections. - src: Better support for big-endian systems. - tls: A new feature that allows you to pass common SSL options to tls.createSecurePair. - build: Support python path that includes spaces. - https: A potential fix for #3692 (HTTP/HTTPS client requests throwing EPROTO). - installer: More readable profiling information from isolate tick logs. - process: Add support for symbols in event emitters (symbols didn't exist when it was written). - querystring: querystring.parse() is now 13-22% faster! - streams: Performance improvements for moving small buffers that shows a 5% throughput gain. IoT projects have been seen to be as much as 10% faster with this change! Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.1: zypper in -t patch openSUSE-2016-715=1 - openSUSE 13.2: zypper in -t patch openSUSE-2016-715=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.1 (i586 x86_64): nodejs-4.4.5-27.1 nodejs-debuginfo-4.4.5-27.1 nodejs-debugsource-4.4.5-27.1 nodejs-devel-4.4.5-27.1 npm-4.4.5-27.1 - openSUSE Leap 42.1 (noarch): nodejs-docs-4.4.5-27.1 - openSUSE 13.2 (i586 x86_64): nodejs-4.4.5-18.1 nodejs-debuginfo-4.4.5-18.1 nodejs-debugsource-4.4.5-18.1 nodejs-devel-4.4.5-18.1 - openSUSE 13.2 (noarch): nodejs-doc-4.4.5-18.1 References: https://www.suse.com/security/cve/CVE-2016-0702.html https://www.suse.com/security/cve/CVE-2016-0705.html https://www.suse.com/security/cve/CVE-2016-0797.html https://www.suse.com/security/cve/CVE-2016-2105.html https://www.suse.com/security/cve/CVE-2016-2107.html https://bugzilla.suse.com/968047 https://bugzilla.suse.com/968048 https://bugzilla.suse.com/968050 https://bugzilla.suse.com/977614 https://bugzilla.suse.com/977616 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org