openSUSE Security Update: Security update for nodejs6 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1209-1 Rating: moderate References: #1087453 #1087459 #1087463 Cross-References: CVE-2018-7158 CVE-2018-7159 CVE-2018-7160 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for nodejs6 fixes the following issues: - Fix some node-gyp permissions - New upstream LTS release 6.14.1: * Security fixes: + CVE-2018-7160: Fix for inspector DNS rebinding vulnerability (bsc#1087463) + CVE-2018-7158: Fix for 'path' module regular expression denial of service (bsc#1087459) + CVE-2018-7159: Reject spaces in HTTP Content-Length header values (bsc#1087453) - New upstream LTS release 6.13.1: * http,tls: better support for IPv6 addresses * console: added console.count() and console.clear() * crypto: + expose ECDH class + added cypto.randomFill() and crypto.randomFillSync() + warn on invalid authentication tag length * deps: upgrade libuv to 1.16.1 * dgram: added socket.setMulticastInterface() * http: add agent.keepSocketAlive and agent.reuseSocket as to allow overridable keep-alive behavior of Agent * lib: return this from net.Socket.end() * module: add builtinModules api that provides list of all builtin modules in Node * net: return this from getConnections() * promises: more robust stringification for unhandled rejections * repl: improve require() autocompletion * src: + add openssl-system-ca-path configure option + add --use-bundled-ca --use-openssl-ca check + add process.ppid * tls: accept lookup option for tls.connect() * tools,build: a new macOS installer! * url: WHATWG URL api support * util: add %i and %f formatting specifiers - remove any old manpage files in %pre from before update-alternatives were used to manage symlinks to these manpages. - Add Recommends and BuildRequire on python2 for npm. node-gyp requires this old version of python for now. This is only needed for binary modules. - even on recent codestreams there is no binutils gold on s390 only on s390x - New upstream LTS release 6.12.3: * v8: profiler-related fixes * mostly documentation and test related changes - Enable CI tests in %check target This update was imported from the SUSE:SLE-12:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-444=1 Package List: - openSUSE Leap 42.3 (i586 x86_64): nodejs6-6.14.1-9.2 nodejs6-debuginfo-6.14.1-9.2 nodejs6-debugsource-6.14.1-9.2 nodejs6-devel-6.14.1-9.2 npm6-6.14.1-9.2 - openSUSE Leap 42.3 (noarch): nodejs6-docs-6.14.1-9.2 References: https://www.suse.com/security/cve/CVE-2018-7158.html https://www.suse.com/security/cve/CVE-2018-7159.html https://www.suse.com/security/cve/CVE-2018-7160.html https://bugzilla.suse.com/1087453 https://bugzilla.suse.com/1087459 https://bugzilla.suse.com/1087463