openSUSE Security Update : nodejs (openSUSE-2016-715)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update for nodejs to version 4.4.5 fixes the several issues.

These security issues introduced by the bundled openssl were fixed by
going to version 1.0.2h :

- CVE-2016-2107: The AES-NI implementation in OpenSSL did
not consider memory allocation during a certain padding
check, which allowed remote attackers to obtain
sensitive cleartext information via a padding-oracle
attack against an AES CBC session (bsc#977616).

- CVE-2016-2105: Integer overflow in the EVP_EncodeUpdate
function in crypto/evp/encode.c in OpenSSL allowed
remote attackers to cause a denial of service (heap
memory corruption) via a large amount of binary data
(bsc#977614).

- CVE-2016-0705: Double free vulnerability in the
dsa_priv_decode function in crypto/dsa/dsa_ameth.c in
OpenSSL allowed remote attackers to cause a denial of
service (memory corruption) or possibly have unspecified
other impact via a malformed DSA private key
(bsc#968047).

- CVE-2016-0797: Multiple integer overflows in OpenSSL
allowed remote attackers to cause a denial of service
(heap memory corruption or NULL pointer dereference) or
possibly have unspecified other impact via a long digit
string that is mishandled by the (1) BN_dec2bn or (2)
BN_hex2bn function, related to crypto/bn/bn.h and
crypto/bn/bn_print.c (bsc#968048).

- CVE-2016-0702: The MOD_EXP_CTIME_COPY_FROM_PREBUF
function in crypto/bn/bn_exp.c in OpenSSL did not
properly consider cache-bank access times during modular
exponentiation, which made it easier for local users to
discover RSA keys by running a crafted application on
the same Intel Sandy Bridge CPU core as a victim and
leveraging cache-bank conflicts, aka a 'CacheBleed'
attack (bsc#968050).

These non-security issues were fixed :

- Fix faulty 'if' condition (string cannot equal a
boolean).

- buffer: Buffer no longer errors if you call lastIndexOf
with a search term longer than the buffer.

- contextify: Context objects are now properly garbage
collected, this solves a problem some individuals were
experiencing with extreme memory growth.

- Update npm to 2.15.5.

- http: Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999.

- deps: Fix --gdbjit for embedders. Backported from v8
upstream.

- querystring: Restore throw when attempting to stringify
bad surrogate pair.

- https: Under certain conditions SSL sockets may have been causing a memory leak when keepalive is enabled. This is no longer the case.

- lib: The way that we were internally passing arguments
was causing a potential leak. By copying the arguments
into an array we can avoid this.

- repl: Previously if you were using the repl in strict
mode the column number would be wrong in a stack trace.
This is no longer an issue.

- deps: An update to v8 that introduces a new flag
--perf_basic_prof_only_functions.

- http: A new feature in http(s) agent that catches errors on keep alived connections.

- src: Better support for big-endian systems.

- tls: A new feature that allows you to pass common SSL
options to tls.createSecurePair.

- build: Support python path that includes spaces.

- https: A potential fix for #3692
(HTTP/HTTPS client requests throwing EPROTO).

- installer: More readable profiling information from
isolate tick logs.

- process: Add support for symbols in event emitters
(symbols didn't exist when it was written).

- querystring: querystring.parse() is now 13-22% faster!

- streams: Performance improvements for moving small
buffers that shows a 5% throughput gain. IoT projects
have been seen to be as much as 10% faster with this
change!

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=968047
https://bugzilla.opensuse.org/show_bug.cgi?id=968048
https://bugzilla.opensuse.org/show_bug.cgi?id=968050
https://bugzilla.opensuse.org/show_bug.cgi?id=977614
https://bugzilla.opensuse.org/show_bug.cgi?id=977616

Solution :

Update the affected nodejs packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: SuSE Local Security Checks

Nessus Plugin ID: 91618 ()

Bugtraq ID:

CVE ID: CVE-2016-0702
CVE-2016-0705
CVE-2016-0797
CVE-2016-2105
CVE-2016-2107

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now