101881

https://nodejs.org/en/blog/release/v4.8.5/

https://nodejs.org/en/blog/release/v6.11.5/

https://nodejs.org/en/blog/release/v8.8.0/

https://nodejs.org/en/blog/vulnerability/oct-2017-dos/

This update for nodejs6 fixes the following issues: Security issues fixed :

  - CVE-2017-15896: Vulnerable to CVE-2017-3737 due to     embedded OpenSSL (bsc#1072322).

  - CVE-2017-14919: Embedded zlib issue could cause a DoS     via specific windowBits value.

  - CVE-2017-3738: Embedded OpenSSL is vulnerable to     rsaz_1024_mul_avx2 overflow bug on x86_64.

  - CVE-2017-3736: Embedded OpenSSL is vulnerable to     bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242).

  - CVE-2017-3735: Embedded OpenSSL is vulnerable to     malformed X.509 IPAdressFamily that could cause OOB read     (bsc#1056058). Bug fixes :

  - Update to LTS release 6.12.2 (bsc#1072322):
    https://nodejs.org/en/blog/vulnerability/december-2017-s     ecurity-releases/

  - https://nodejs.org/en/blog/release/v6.12.2/

  - https://nodejs.org/en/blog/release/v6.12.1/

  - https://nodejs.org/en/blog/release/v6.12.0/

  - https://nodejs.org/en/blog/release/v6.11.5/

  - https://nodejs.org/en/blog/release/v6.11.4/

  - https://nodejs.org/en/blog/release/v6.11.3/

  - https://nodejs.org/en/blog/release/v6.11.2/

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs4 fixes the following issues: Security issues fixed :

  - CVE-2017-15896: Vulnerable to CVE-2017-3737 due to     embedded OpenSSL (bsc#1072322).

  - CVE-2017-14919: Embedded zlib issue could cause a DoS     via specific windowBits value.

  - CVE-2017-3738: Embedded OpenSSL is vulnerable to     rsaz_1024_mul_avx2 overflow bug on x86_64.

  - CVE-2017-3736: Embedded OpenSSL is vulnerable to     bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242).

  - CVE-2017-3735: Embedded OpenSSL is vulnerable to     malformed X.509 IPAdressFamily that could cause OOB read     (bsc#1056058). Bug fixes :

  - Update to release 4.8.7 (bsc#1072322):
    https://nodejs.org/en/blog/vulnerability/december-2017-s     ecurity-releases/

  - https://nodejs.org/en/blog/release/v4.8.7/

  - https://nodejs.org/en/blog/release/v4.8.6/

  - https://nodejs.org/en/blog/release/v4.8.5/

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs6 fixes the following issues :

Security issues fixed :

  - CVE-2017-15896: Vulnerable to CVE-2017-3737 due to     embedded OpenSSL (bsc#1072322).

  - CVE-2017-14919: Embedded zlib issue could cause a DoS     via specific windowBits value.

  - CVE-2017-3738: Embedded OpenSSL is vulnerable to     rsaz_1024_mul_avx2 overflow bug on x86_64.

  - CVE-2017-3736: Embedded OpenSSL is vulnerable to     bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242).

  - CVE-2017-3735: Embedded OpenSSL is vulnerable to     malformed X.509 IPAdressFamily that could cause OOB read     (bsc#1056058).

Bug fixes :

  - Update to LTS release 6.12.2 (bsc#1072322) :

  - https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/

  - https://nodejs.org/en/blog/release/v6.12.2/

  - https://nodejs.org/en/blog/release/v6.12.1/

  - https://nodejs.org/en/blog/release/v6.12.0/

  - https://nodejs.org/en/blog/release/v6.11.5/

  - https://nodejs.org/en/blog/release/v6.11.4/

  - https://nodejs.org/en/blog/release/v6.11.3/

  - https://nodejs.org/en/blog/release/v6.11.2/

This update was imported from the SUSE:SLE-12:Update update project.

This update for nodejs4 fixes the following issues :

Security issues fixed :

  - CVE-2017-15896: Vulnerable to CVE-2017-3737 due to     embedded OpenSSL (bsc#1072322).

  - CVE-2017-14919: Embedded zlib issue could cause a DoS     via specific windowBits value.

  - CVE-2017-3738: Embedded OpenSSL is vulnerable to     rsaz_1024_mul_avx2 overflow bug on x86_64.

  - CVE-2017-3736: Embedded OpenSSL is vulnerable to     bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242).

  - CVE-2017-3735: Embedded OpenSSL is vulnerable to     malformed X.509 IPAdressFamily that could cause OOB read     (bsc#1056058).

Bug fixes :

  - Update to release 4.8.7 (bsc#1072322) :

  - https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/

  - https://nodejs.org/en/blog/release/v4.8.7/

  - https://nodejs.org/en/blog/release/v4.8.6/

  - https://nodejs.org/en/blog/release/v4.8.5/

This update was imported from the SUSE:SLE-12:Update update project.

# 2017-10-24, Version 6.11.5 'Boron' (LTS), @MylesBorins

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ for details on patched vulnerabilities.

## Notable Changes

  - zlib :

  - CVE-2017-14919 - In zlib v1.2.9, a change was made that     causes an error to be raised when a raw deflate stream     is initialized with windowBits set to 8. On some     versions this crashes Node and you cannot recover from     it, while on some versions it throws an exception.
    Node.js will now gracefully set windowBits to 9     replicating the legacy behavior to avoid a DOS vector.
    nodejs-private/node-private#95

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Node.js reports :

Node.js was susceptible to a remote DoS attack due to a change that came in as part of zlib v1.2.9. In zlib v1.2.9 8 became an invalid value for the windowBits parameter and Node's zlib module will crash or throw an exception (depending on the version)

ID	Name	Product	Family	Severity
120014	SUSE SLES12 Security Update : nodejs6 (SUSE-SU-2018:0293-1)	Nessus	SuSE Local Security Checks	critical
120012	SUSE SLES12 Security Update : nodejs4 (SUSE-SU-2018:0002-1)	Nessus	SuSE Local Security Checks	critical
106547	openSUSE Security Update : nodejs6 (openSUSE-2018-116)	Nessus	SuSE Local Security Checks	critical
105638	openSUSE Security Update : nodejs4 (openSUSE-2018-5)	Nessus	SuSE Local Security Checks	critical
104450	Fedora 25 : 1:nodejs (2017-c582c1e728)	Nessus	Fedora Local Security Checks	high
104198	FreeBSD : Node.js -- remote DOS security vulnerability (d7d1cc94-b971-11e7-af3a-f1035dd0da62)	Nessus	FreeBSD Local Security Checks	high

CVE-2017-14919

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical

critical

high

high