CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.
lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html
rhn.redhat.com/errata/RHSA-2017-0002.html
www.securityfocus.com/bid/93483
access.redhat.com/errata/RHSA-2016:2101
github.com/nodejs/node/commit/c0f13e56a20f9bde5a67d873a7f9564487160762
nodejs.org/en/blog/vulnerability/september-2016-security-releases/
security.gentoo.org/glsa/201612-43