Security update for nodejs8
| Announcement ID: | SUSE-SU-2018:2812-1 |
|---|---|
| Rating: | moderate |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves two vulnerabilities and has one security fix can now be installed.
Description:
This update for nodejs8 to version 8.11.4 fixes the following issues:
Security issues fixed:
- CVE-2018-12115: Fixed an out-of-bounds memory write in Buffer that could be used to write to memory outside of a Buffer's memory space buffer (bsc#1105019)
- Upgrade to OpenSSL 1.0.2p, which fixed:
- CVE-2018-0732: Client denial-of-service due to large DH parameter (bsc#1097158)
- ECDSA key extraction via local side-channel
Other changes made:
- Recommend same major version npm package (bsc#1097748)
- Fix parallel/test-tls-passphrase.js test to continue to function with older versions of OpenSSL library.
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
Web and Scripting Module 15
zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-2018-1971=1
Package List:
-
Web and Scripting Module 15 (aarch64 ppc64le s390x x86_64)
- nodejs8-8.11.4-3.8.2
- nodejs8-devel-8.11.4-3.8.2
- nodejs8-debuginfo-8.11.4-3.8.2
- npm8-8.11.4-3.8.2
- nodejs8-debugsource-8.11.4-3.8.2
-
Web and Scripting Module 15 (noarch)
- nodejs8-docs-8.11.4-3.8.2