openSUSE Security Update : nodejs (openSUSE-2016-715)

Critical Nessus Plugin ID 91618

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for nodejs to version 4.4.5 fixes the several issues.

These security issues introduced by the bundled openssl were fixed by going to version 1.0.2h :

- CVE-2016-2107: The AES-NI implementation in OpenSSL did not consider memory allocation during a certain padding check, which allowed remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session (bsc#977616).

- CVE-2016-2105: Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL allowed remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data (bsc#977614).

- CVE-2016-0705: Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL allowed remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key (bsc#968047).

- CVE-2016-0797: Multiple integer overflows in OpenSSL allowed remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c (bsc#968048).

- CVE-2016-0702: The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL did not properly consider cache-bank access times during modular exponentiation, which made it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a 'CacheBleed' attack (bsc#968050).

These non-security issues were fixed :

- Fix faulty 'if' condition (string cannot equal a boolean).

- buffer: Buffer no longer errors if you call lastIndexOf with a search term longer than the buffer.

- contextify: Context objects are now properly garbage collected, this solves a problem some individuals were experiencing with extreme memory growth.

- Update npm to 2.15.5.

- http: Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999.

- deps: Fix --gdbjit for embedders. Backported from v8 upstream.

- querystring: Restore throw when attempting to stringify bad surrogate pair.

- https: Under certain conditions SSL sockets may have been causing a memory leak when keepalive is enabled. This is no longer the case.

- lib: The way that we were internally passing arguments was causing a potential leak. By copying the arguments into an array we can avoid this.

- repl: Previously if you were using the repl in strict mode the column number would be wrong in a stack trace.
This is no longer an issue.

- deps: An update to v8 that introduces a new flag
--perf_basic_prof_only_functions.

- http: A new feature in http(s) agent that catches errors on keep alived connections.

- src: Better support for big-endian systems.

- tls: A new feature that allows you to pass common SSL options to tls.createSecurePair.

- build: Support python path that includes spaces.

- https: A potential fix for #3692 (HTTP/HTTPS client requests throwing EPROTO).

- installer: More readable profiling information from isolate tick logs.

- process: Add support for symbols in event emitters (symbols didn't exist when it was written).

- querystring: querystring.parse() is now 13-22% faster!

- streams: Performance improvements for moving small buffers that shows a 5% throughput gain. IoT projects have been seen to be as much as 10% faster with this change!

Solution

Update the affected nodejs packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=968047

https://bugzilla.opensuse.org/show_bug.cgi?id=968048

https://bugzilla.opensuse.org/show_bug.cgi?id=968050

https://bugzilla.opensuse.org/show_bug.cgi?id=977614

https://bugzilla.opensuse.org/show_bug.cgi?id=977616

Plugin Details

Severity: Critical

ID: 91618

File Name: openSUSE-2016-715.nasl

Version: 2.6

Type: local

Agent: unix

Published: 2016/06/15

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 6.7

CVSS v2.0

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:nodejs, p-cpe:/a:novell:opensuse:nodejs-debuginfo, p-cpe:/a:novell:opensuse:nodejs-debugsource, p-cpe:/a:novell:opensuse:nodejs-devel, p-cpe:/a:novell:opensuse:npm, cpe:/o:novell:opensuse:13.2, cpe:/o:novell:opensuse:42.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/06/14

Reference Information

CVE: CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-2105, CVE-2016-2107