nodejs4-4.7.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10247-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z nodejs4-4.7.0-1.1 on GA media These are all security issues fixed in the nodejs4-4.7.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10247 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2016-1669/ SUSE CVE CVE-2016-1669 page https://www.suse.com/security/cve/CVE-2016-2178/ SUSE CVE CVE-2016-2178 page https://www.suse.com/security/cve/CVE-2016-2183/ SUSE CVE CVE-2016-2183 page https://www.suse.com/security/cve/CVE-2016-5180/ SUSE CVE CVE-2016-5180 page https://www.suse.com/security/cve/CVE-2016-5325/ SUSE CVE CVE-2016-5325 page https://www.suse.com/security/cve/CVE-2016-6304/ SUSE CVE CVE-2016-6304 page https://www.suse.com/security/cve/CVE-2016-6306/ SUSE CVE CVE-2016-6306 page https://www.suse.com/security/cve/CVE-2016-7052/ SUSE CVE CVE-2016-7052 page https://www.suse.com/security/cve/CVE-2016-7099/ SUSE CVE CVE-2016-7099 page openSUSE Tumbleweed nodejs4-4.7.0-1.1 nodejs4-devel-4.7.0-1.1 nodejs4-docs-4.7.0-1.1 npm4-4.7.0-1.1 nodejs4-4.7.0-1.1 as a component of openSUSE Tumbleweed nodejs4-devel-4.7.0-1.1 as a component of openSUSE Tumbleweed nodejs4-docs-4.7.0-1.1 as a component of openSUSE Tumbleweed npm4-4.7.0-1.1 as a component of openSUSE Tumbleweed The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine when to expand certain memory allocations, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via crafted JavaScript code. CVE-2016-1669 openSUSE Tumbleweed:nodejs4-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-devel-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-docs-4.7.0-1.1 openSUSE Tumbleweed:npm4-4.7.0-1.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1669.html CVE-2016-1669 https://bugzilla.suse.com/979859 SUSE Bug 979859 https://bugzilla.suse.com/987919 SUSE Bug 987919 The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. CVE-2016-2178 openSUSE Tumbleweed:nodejs4-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-devel-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-docs-4.7.0-1.1 openSUSE Tumbleweed:npm4-4.7.0-1.1 low 1.2 AV:L/AC:H/Au:N/C:P/I:N/A:N 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2178.html CVE-2016-2178 https://bugzilla.suse.com/1004104 SUSE Bug 1004104 https://bugzilla.suse.com/983249 SUSE Bug 983249 https://bugzilla.suse.com/983519 SUSE Bug 983519 https://bugzilla.suse.com/999665 SUSE Bug 999665 The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. CVE-2016-2183 openSUSE Tumbleweed:nodejs4-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-devel-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-docs-4.7.0-1.1 openSUSE Tumbleweed:npm4-4.7.0-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2183.html CVE-2016-2183 https://bugzilla.suse.com/1001912 SUSE Bug 1001912 https://bugzilla.suse.com/1024218 SUSE Bug 1024218 https://bugzilla.suse.com/1027038 SUSE Bug 1027038 https://bugzilla.suse.com/1034689 SUSE Bug 1034689 https://bugzilla.suse.com/1056614 SUSE Bug 1056614 https://bugzilla.suse.com/1171693 SUSE Bug 1171693 https://bugzilla.suse.com/994844 SUSE Bug 994844 https://bugzilla.suse.com/995359 SUSE Bug 995359 Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot. CVE-2016-5180 openSUSE Tumbleweed:nodejs4-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-devel-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-docs-4.7.0-1.1 openSUSE Tumbleweed:npm4-4.7.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5180.html CVE-2016-5180 https://bugzilla.suse.com/1007728 SUSE Bug 1007728 CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument. CVE-2016-5325 openSUSE Tumbleweed:nodejs4-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-devel-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-docs-4.7.0-1.1 openSUSE Tumbleweed:npm4-4.7.0-1.1 low 4 AV:N/AC:H/Au:N/C:P/I:P/A:N 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5325.html CVE-2016-5325 https://bugzilla.suse.com/985201 SUSE Bug 985201 https://bugzilla.suse.com/985202 SUSE Bug 985202 Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. CVE-2016-6304 openSUSE Tumbleweed:nodejs4-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-devel-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-docs-4.7.0-1.1 openSUSE Tumbleweed:npm4-4.7.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6304.html CVE-2016-6304 https://bugzilla.suse.com/1001706 SUSE Bug 1001706 https://bugzilla.suse.com/1003811 SUSE Bug 1003811 https://bugzilla.suse.com/1004104 SUSE Bug 1004104 https://bugzilla.suse.com/1005579 SUSE Bug 1005579 https://bugzilla.suse.com/1021375 SUSE Bug 1021375 https://bugzilla.suse.com/999665 SUSE Bug 999665 https://bugzilla.suse.com/999666 SUSE Bug 999666 The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. CVE-2016-6306 openSUSE Tumbleweed:nodejs4-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-devel-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-docs-4.7.0-1.1 openSUSE Tumbleweed:npm4-4.7.0-1.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6306.html CVE-2016-6306 https://bugzilla.suse.com/1004104 SUSE Bug 1004104 https://bugzilla.suse.com/999665 SUSE Bug 999665 https://bugzilla.suse.com/999668 SUSE Bug 999668 crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation. CVE-2016-7052 openSUSE Tumbleweed:nodejs4-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-devel-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-docs-4.7.0-1.1 openSUSE Tumbleweed:npm4-4.7.0-1.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7052.html CVE-2016-7052 https://bugzilla.suse.com/1001148 SUSE Bug 1001148 The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. CVE-2016-7099 openSUSE Tumbleweed:nodejs4-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-devel-4.7.0-1.1 openSUSE Tumbleweed:nodejs4-docs-4.7.0-1.1 openSUSE Tumbleweed:npm4-4.7.0-1.1 important 8.8 AV:N/AC:M/Au:N/C:C/I:C/A:N 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7099.html CVE-2016-7099 https://bugzilla.suse.com/1001652 SUSE Bug 1001652