Sicherheit: Mehrere Probleme in node.js
||Mehrere Probleme in node.js
||SUSE openSUSE 13.2, SUSE openSUSE Leap 42.1
||Di, 14. Juni 2016, 13:01
openSUSE Security Update: Security update for nodejs
Announcement ID: openSUSE-SU-2016:1566-1
References: #968047 #968048 #968050 #977614 #977616
Cross-References: CVE-2016-0702 CVE-2016-0705 CVE-2016-0797
openSUSE Leap 42.1
An update that fixes 5 vulnerabilities is now available.
This update for nodejs to version 4.4.5 fixes the several issues.
These security issues introduced by the bundled openssl were fixed by
going to version 1.0.2h:
- CVE-2016-2107: The AES-NI implementation in OpenSSL did not consider
memory allocation during a certain padding check, which allowed remote
attackers to obtain sensitive cleartext information via a padding-oracle
attack against an AES CBC session (bsc#977616).
- CVE-2016-2105: Integer overflow in the EVP_EncodeUpdate function in
crypto/evp/encode.c in OpenSSL allowed remote attackers to cause a
denial of service (heap memory corruption) via a large amount of binary
- CVE-2016-0705: Double free vulnerability in the dsa_priv_decode function
in crypto/dsa/dsa_ameth.c in OpenSSL allowed remote attackers to cause a
denial of service (memory corruption) or possibly have unspecified other
impact via a malformed DSA private key (bsc#968047).
- CVE-2016-0797: Multiple integer overflows in OpenSSL allowed remote
attackers to cause a denial of service (heap memory corruption or NULL
pointer dereference) or possibly have unspecified other impact via a
long digit string that is mishandled by the (1) BN_dec2bn or (2)
BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c
- CVE-2016-0702: The MOD_EXP_CTIME_COPY_FROM_PREBUF function in
crypto/bn/bn_exp.c in OpenSSL did not properly consider cache-bank
access times during modular exponentiation, which made it easier for
local users to discover RSA keys by running a crafted application on the
same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank
conflicts, aka a "CacheBleed" attack (bsc#968050).
These non-security issues were fixed:
- Fix faulty "if" condition (string cannot equal a boolean).
- buffer: Buffer no longer errors if you call lastIndexOf with a search
term longer than the buffer.
- contextify: Context objects are now properly garbage collected, this
solves a problem some individuals were experiencing with extreme memory
- Update npm to 2.15.5.
- http: Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999.
- deps: Fix --gdbjit for embedders. Backported from v8 upstream.
- querystring: Restore throw when attempting to stringify bad surrogate
- https: Under certain conditions SSL sockets may have been causing a
memory leak when keepalive is enabled. This is no longer the case.
- lib: The way that we were internally passing arguments was causing a
potential leak. By copying the arguments into an array we can avoid this.
- repl: Previously if you were using the repl in strict mode the column
number would be wrong in a stack trace. This is no longer an issue.
- deps: An update to v8 that introduces a new flag
- http: A new feature in http(s) agent that catches errors on keep alived
- src: Better support for big-endian systems.
- tls: A new feature that allows you to pass common SSL options to
- build: Support python path that includes spaces.
- https: A potential fix for #3692 (HTTP/HTTPS client requests throwing
- installer: More readable profiling information from isolate tick logs.
- process: Add support for symbols in event emitters (symbols didn't
when it was written).
- querystring: querystring.parse() is now 13-22% faster!
- streams: Performance improvements for moving small buffers that shows a
5% throughput gain. IoT projects have been seen to be as much as 10%
faster with this change!
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.1:
zypper in -t patch openSUSE-2016-715=1
- openSUSE 13.2:
zypper in -t patch openSUSE-2016-715=1
To bring your system up-to-date, use "zypper patch".
- openSUSE Leap 42.1 (i586 x86_64):
- openSUSE Leap 42.1 (noarch):
- openSUSE 13.2 (i586 x86_64):
- openSUSE 13.2 (noarch):
To unsubscribe, e-mail: email@example.com
For additional commands, e-mail: firstname.lastname@example.org