openSUSE Security Update: Security update for nodejs
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2016:1566-1
Rating:             important
References:         #968047 #968048 #968050 #977614 #977616 
Cross-References:   CVE-2016-0702 CVE-2016-0705 CVE-2016-0797
                    CVE-2016-2105 CVE-2016-2107
Affected Products:
                    openSUSE Leap 42.1
                    openSUSE 13.2
______________________________________________________________________________

   An update that fixes 5 vulnerabilities is now available.

Description:

   This update for nodejs to version 4.4.5 fixes the several issues.

   These security issues introduced by the bundled openssl were fixed by
   going to version 1.0.2h:
   - CVE-2016-2107: The AES-NI implementation in OpenSSL did not consider
     memory allocation during a certain padding check, which allowed remote
     attackers to obtain sensitive cleartext information via a padding-oracle
     attack against an AES CBC session (bsc#977616).
   - CVE-2016-2105: Integer overflow in the EVP_EncodeUpdate function in
     crypto/evp/encode.c in OpenSSL allowed remote attackers to cause a
     denial of service (heap memory corruption) via a large amount of binary
     data (bsc#977614).
   - CVE-2016-0705: Double free vulnerability in the dsa_priv_decode function
     in crypto/dsa/dsa_ameth.c in OpenSSL allowed remote attackers to cause a
     denial of service (memory corruption) or possibly have unspecified other
     impact via a malformed DSA private key (bsc#968047).
   - CVE-2016-0797: Multiple integer overflows in OpenSSL allowed remote
     attackers to cause a denial of service (heap memory corruption or NULL
     pointer dereference) or possibly have unspecified other impact via a
     long digit string that is mishandled by the (1) BN_dec2bn or (2)
     BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c
     (bsc#968048).
   - CVE-2016-0702: The MOD_EXP_CTIME_COPY_FROM_PREBUF function in
     crypto/bn/bn_exp.c in OpenSSL did not properly consider cache-bank
     access times during modular exponentiation, which made it easier for
     local users to discover RSA keys by running a crafted application on the
     same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank
     conflicts, aka a "CacheBleed" attack (bsc#968050).

   These non-security issues were fixed:
   - Fix faulty "if" condition (string cannot equal a boolean).
   - buffer: Buffer no longer errors if you call lastIndexOf with a search
     term longer than the buffer.
   - contextify: Context objects are now properly garbage collected, this
     solves a problem some individuals were experiencing with extreme memory
     growth.
   - Update npm to 2.15.5.
   - http: Invalid status codes can no longer be sent. Limited to 3 digit
     numbers between 100 - 999.
   - deps: Fix --gdbjit for embedders. Backported from v8 upstream.
   - querystring: Restore throw when attempting to stringify bad surrogate
     pair.
   - https: Under certain conditions SSL sockets may have been causing a
     memory leak when keepalive is enabled. This is no longer the case.
   - lib: The way that we were internally passing arguments was causing a
     potential leak. By copying the arguments into an array we can avoid this.
   - repl: Previously if you were using the repl in strict mode the column
     number would be wrong in a stack trace. This is no longer an issue.
   - deps: An update to v8 that introduces a new flag
     --perf_basic_prof_only_functions.
   - http: A new feature in http(s) agent that catches errors on keep alived
     connections.
   - src: Better support for big-endian systems.
   - tls: A new feature that allows you to pass common SSL options to
     tls.createSecurePair.
   - build: Support python path that includes spaces.
   - https: A potential fix for #3692 (HTTP/HTTPS client requests throwing
     EPROTO).
   - installer: More readable profiling information from isolate tick logs.
   - process: Add support for symbols in event emitters (symbols didn't exist
     when it was written).
   - querystring: querystring.parse() is now 13-22% faster!
   - streams: Performance improvements for moving small buffers that shows a
     5% throughput gain. IoT projects have been seen to be as much as 10%
     faster with this change!


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE Leap 42.1:

      zypper in -t patch openSUSE-2016-715=1

   - openSUSE 13.2:

      zypper in -t patch openSUSE-2016-715=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE Leap 42.1 (i586 x86_64):

      nodejs-4.4.5-27.1
      nodejs-debuginfo-4.4.5-27.1
      nodejs-debugsource-4.4.5-27.1
      nodejs-devel-4.4.5-27.1
      npm-4.4.5-27.1

   - openSUSE Leap 42.1 (noarch):

      nodejs-docs-4.4.5-27.1

   - openSUSE 13.2 (i586 x86_64):

      nodejs-4.4.5-18.1
      nodejs-debuginfo-4.4.5-18.1
      nodejs-debugsource-4.4.5-18.1
      nodejs-devel-4.4.5-18.1

   - openSUSE 13.2 (noarch):

      nodejs-doc-4.4.5-18.1


References:

   https://www.suse.com/security/cve/CVE-2016-0702.html
   https://www.suse.com/security/cve/CVE-2016-0705.html
   https://www.suse.com/security/cve/CVE-2016-0797.html
   https://www.suse.com/security/cve/CVE-2016-2105.html
   https://www.suse.com/security/cve/CVE-2016-2107.html
   https://bugzilla.suse.com/968047
   https://bugzilla.suse.com/968048
   https://bugzilla.suse.com/968050
   https://bugzilla.suse.com/977614
   https://bugzilla.suse.com/977616

openSUSE: 2016:1566-1: important: nodejs

June 14, 2016
An update that fixes 5 vulnerabilities is now available

Description

This update for nodejs to version 4.4.5 fixes the several issues. These security issues introduced by the bundled openssl were fixed by going to version 1.0.2h: - CVE-2016-2107: The AES-NI implementation in OpenSSL did not consider memory allocation during a certain padding check, which allowed remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session (bsc#977616). - CVE-2016-2105: Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL allowed remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data (bsc#977614). - CVE-2016-0705: Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL allowed remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key (bsc#968047). - CVE-2016-0797: Multiple integer overflows in OpenSSL allowed remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c (bsc#968048). - CVE-2016-0702: The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL did not properly consider cache-bank access times during modular exponentiation, which made it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack (bsc#968050). These non-security issues were fixed: - Fix faulty "if" condition (string cannot equal a boolean). - buffer: Buffer no longer errors if you call lastIndexOf with a search term longer than the buffer. - contextify: Context objects are now properly garbage collected, this solves a problem some individuals were experiencing with extreme memory growth. - Update npm to 2.15.5. - http: Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999. - deps: Fix --gdbjit for embedders. Backported from v8 upstream. - querystring: Restore throw when attempting to stringify bad surrogate pair. - https: Under certain conditions SSL sockets may have been causing a memory leak when keepalive is enabled. This is no longer the case. - lib: The way that we were internally passing arguments was causing a potential leak. By copying the arguments into an array we can avoid this. - repl: Previously if you were using the repl in strict mode the column number would be wrong in a stack trace. This is no longer an issue. - deps: An update to v8 that introduces a new flag --perf_basic_prof_only_functions. - http: A new feature in http(s) agent that catches errors on keep alived connections. - src: Better support for big-endian systems. - tls: A new feature that allows you to pass common SSL options to tls.createSecurePair. - build: Support python path that includes spaces. - https: A potential fix for #3692 (HTTP/HTTPS client requests throwing EPROTO). - installer: More readable profiling information from isolate tick logs. - process: Add support for symbols in event emitters (symbols didn't exist when it was written). - querystring: querystring.parse() is now 13-22% faster! - streams: Performance improvements for moving small buffers that shows a 5% throughput gain. IoT projects have been seen to be as much as 10% faster with this change!

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.1: zypper in -t patch openSUSE-2016-715=1 - openSUSE 13.2: zypper in -t patch openSUSE-2016-715=1 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE Leap 42.1 (i586 x86_64): nodejs-4.4.5-27.1 nodejs-debuginfo-4.4.5-27.1 nodejs-debugsource-4.4.5-27.1 nodejs-devel-4.4.5-27.1 npm-4.4.5-27.1 - openSUSE Leap 42.1 (noarch): nodejs-docs-4.4.5-27.1 - openSUSE 13.2 (i586 x86_64): nodejs-4.4.5-18.1 nodejs-debuginfo-4.4.5-18.1 nodejs-debugsource-4.4.5-18.1 nodejs-devel-4.4.5-18.1 - openSUSE 13.2 (noarch): nodejs-doc-4.4.5-18.1


References

https://www.suse.com/security/cve/CVE-2016-0702.html https://www.suse.com/security/cve/CVE-2016-0705.html https://www.suse.com/security/cve/CVE-2016-0797.html https://www.suse.com/security/cve/CVE-2016-2105.html https://www.suse.com/security/cve/CVE-2016-2107.html https://bugzilla.suse.com/968047 https://bugzilla.suse.com/968048 https://bugzilla.suse.com/968050 https://bugzilla.suse.com/977614 https://bugzilla.suse.com/977616


Severity
Announcement ID: openSUSE-SU-2016:1566-1
Rating: important
Affected Products: openSUSE Leap 42.1 openSUSE 13.2 .

Related News

Google Chrome 129: Addressing Crucial Vulnerabilities and Enhancing Security
2 - 4 min read
Google Chrome remains the crown jewel in the browser market, with an impressive user base of approximately 3.45 billion. However, this immense
Fighting Back Against Hadooken Malware by Strengthening WebLogic Security
2 - 4 min read
Cybercriminals have been relentlessly attacking the digital landscape, aiming to exploit vulnerabilities in well-known systems. One such exploit is
CISA Sounds Alarm on Newly Exploited Vulnerabilities: Is Your System at Risk?
3 - 5 min read
CISA regularly publishes updates regarding vulnerabilities that present severe threats to global cybersecurity. Recently, CISA added three
Defending Against Remote Code Execution in Google Chrome: A Critical Update
2 - 3 min read
Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe
Navigating the Linux Kernel
2 - 4 min read
The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant
Staying a Step Ahead of Adversaries: Mitigating Chromium
2 - 4 min read
Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium
Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware
2 - 4 min read
Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called
Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures
3 - 6 min read
Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved