openSUSE Security Update : nodejs (openSUSE-2016-715)

critical Nessus Plugin ID 91618
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote openSUSE host is missing a security update.


This update for nodejs to version 4.4.5 fixes the several issues.

These security issues introduced by the bundled openssl were fixed by going to version 1.0.2h :

- CVE-2016-2107: The AES-NI implementation in OpenSSL did not consider memory allocation during a certain padding check, which allowed remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session (bsc#977616).

- CVE-2016-2105: Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL allowed remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data (bsc#977614).

- CVE-2016-0705: Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL allowed remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key (bsc#968047).

- CVE-2016-0797: Multiple integer overflows in OpenSSL allowed remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c (bsc#968048).

- CVE-2016-0702: The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL did not properly consider cache-bank access times during modular exponentiation, which made it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a 'CacheBleed' attack (bsc#968050).

These non-security issues were fixed :

- Fix faulty 'if' condition (string cannot equal a boolean).

- buffer: Buffer no longer errors if you call lastIndexOf with a search term longer than the buffer.

- contextify: Context objects are now properly garbage collected, this solves a problem some individuals were experiencing with extreme memory growth.

- Update npm to 2.15.5.

- http: Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999.

- deps: Fix --gdbjit for embedders. Backported from v8 upstream.

- querystring: Restore throw when attempting to stringify bad surrogate pair.

- https: Under certain conditions SSL sockets may have been causing a memory leak when keepalive is enabled. This is no longer the case.

- lib: The way that we were internally passing arguments was causing a potential leak. By copying the arguments into an array we can avoid this.

- repl: Previously if you were using the repl in strict mode the column number would be wrong in a stack trace.
This is no longer an issue.

- deps: An update to v8 that introduces a new flag

- http: A new feature in http(s) agent that catches errors on keep alived connections.

- src: Better support for big-endian systems.

- tls: A new feature that allows you to pass common SSL options to tls.createSecurePair.

- build: Support python path that includes spaces.

- https: A potential fix for #3692 (HTTP/HTTPS client requests throwing EPROTO).

- installer: More readable profiling information from isolate tick logs.

- process: Add support for symbols in event emitters (symbols didn't exist when it was written).

- querystring: querystring.parse() is now 13-22% faster!

- streams: Performance improvements for moving small buffers that shows a 5% throughput gain. IoT projects have been seen to be as much as 10% faster with this change!


Update the affected nodejs packages.

See Also

Plugin Details

Severity: Critical

ID: 91618

File Name: openSUSE-2016-715.nasl

Version: 2.7

Type: local

Agent: unix

Published: 6/15/2016

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information


Risk Factor: Medium

Score: 6.7


Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:nodejs, p-cpe:/a:novell:opensuse:nodejs-debuginfo, p-cpe:/a:novell:opensuse:nodejs-debugsource, p-cpe:/a:novell:opensuse:nodejs-devel, p-cpe:/a:novell:opensuse:npm, cpe:/o:novell:opensuse:13.2, cpe:/o:novell:opensuse:42.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/14/2016

Reference Information

CVE: CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-2105, CVE-2016-2107