Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2016-2021 Tenable Network Security, Inc.OPENSUSE-2016-1172.NASL
HistoryOct 12, 2016 - 12:00 a.m.

openSUSE Security Update : nodejs (openSUSE-2016-1172)

2016-10-1200:00:00
This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.
www.tenable.com
15
JSON

This update brings the new upstream nodejs LTS version 4.6.0, fixing bugs and security issues :

  • Nodejs embedded openssl version update

  • upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183, CVE-2016-2178, CVE-2016-6306, CVE-2016-7052)

  • remove support for dynamic 3rd party engine modules

  • http: Properly validate for allowable characters in input user data. This introduces a new case where throw may occur when configuring HTTP responses, users should already be adopting try/catch here.
    (CVE-2016-5325, bsc#985201)

    • tls: properly validate wildcard certificates (CVE-2016-7099, bsc#1001652)

    • buffer: Zero-fill excess bytes in new Buffer objects created with Buffer.concat()

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2016-1172.
#
# The text description of this plugin is (C) SUSE LLC.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(94002);
  script_version("2.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2016-1669", "CVE-2016-2178", "CVE-2016-2183", "CVE-2016-5325", "CVE-2016-6304", "CVE-2016-6306", "CVE-2016-7052", "CVE-2016-7099");

  script_name(english:"openSUSE Security Update : nodejs (openSUSE-2016-1172)");
  script_summary(english:"Check for the openSUSE-2016-1172 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update brings the new upstream nodejs LTS version 4.6.0, fixing
bugs and security issues :

  - Nodejs embedded openssl version update

  + upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183,
    CVE-2016-2178, CVE-2016-6306, CVE-2016-7052)

  + remove support for dynamic 3rd party engine modules

- http: Properly validate for allowable characters in input
user data. This introduces a new case where throw may occur
when configuring HTTP responses, users should already
be adopting try/catch here.
  (CVE-2016-5325, bsc#985201)

  - tls: properly validate wildcard certificates
    (CVE-2016-7099, bsc#1001652)

  - buffer: Zero-fill excess bytes in new Buffer objects
    created with Buffer.concat()"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1001652"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=985201"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected nodejs packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nodejs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nodejs-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nodejs-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nodejs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:npm");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/10/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/12");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE13\.2|SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.2 / 42.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE13.2", reference:"nodejs-4.6.0-24.2") ) flag++;
if ( rpm_check(release:"SUSE13.2", reference:"nodejs-debuginfo-4.6.0-24.2") ) flag++;
if ( rpm_check(release:"SUSE13.2", reference:"nodejs-debugsource-4.6.0-24.2") ) flag++;
if ( rpm_check(release:"SUSE13.2", reference:"nodejs-devel-4.6.0-24.2") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"nodejs-4.6.0-33.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"nodejs-debuginfo-4.6.0-33.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"nodejs-debugsource-4.6.0-33.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"nodejs-devel-4.6.0-33.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"npm-4.6.0-33.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nodejs / nodejs-debuginfo / nodejs-debugsource / nodejs-devel / npm");
}
VendorProductVersionCPE
novellopensusenodejsp-cpe:/a:novell:opensuse:nodejs
novellopensusenodejs-debuginfop-cpe:/a:novell:opensuse:nodejs-debuginfo
novellopensusenodejs-debugsourcep-cpe:/a:novell:opensuse:nodejs-debugsource
novellopensusenodejs-develp-cpe:/a:novell:opensuse:nodejs-devel
novellopensusenpmp-cpe:/a:novell:opensuse:npm
novellopensuse13.2cpe:/o:novell:opensuse:13.2
novellopensuse42.1cpe:/o:novell:opensuse:42.1

Related

suse 12
openvas 31
nessus 39
ibm 62
redhat 4
mageia 2
threatpost 2
nodejsblog 2
oraclelinux 2
aix 1
fedora 5
centos 1
gentoo 1
f5 3
cloudfoundry 1
archlinux 4
osv 3
debian 2
altlinux 1
ubuntu 2
huawei 1
cisco 1
prion 4
ubuntucve 2
redhatcve 2
cve 3
debiancve 2
veracode 2
openssl 1
slackware 1
suse
suse
Security update for nodejs (important)
2016-10-11 19:20:03
Security update for nodejs4 (important)
2016-10-06 20:14:21
Security update for nodejs4 (important)
2016-11-01 16:19:35
openvas
openvas
openSUSE: Security Advisory for nodejs (openSUSE-SU-2016:2496-1)
2016-10-12 00:00:00
SUSE: Security Advisory (SUSE-SU-2016:2470-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2016:2470-2)
2021-06-09 00:00:00
nessus
nessus
SUSE SLES12 Security Update : nodejs4 (SUSE-SU-2016:2470-1)
2019-01-02 00:00:00
Arista Networks EOS 4.17 Multiple Vulnerabilities (SA0024) (SWEET32)
2018-02-28 00:00:00
Arista Networks EOS Multiple Vulnerabilities (SA0024) (SWEET32)
2018-02-28 00:00:00
ibm
ibm
Security Bulletin: Multiple OpenSSL and Non-OpenSSL vulnerabilities in Node.js included in Rational Application Developer for WebSphere Software
2020-02-05 00:09:48
Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor
2018-06-15 07:06:49
Security Bulletin: Multiple vulnerabilities may affect IBM® SDK for Node.js™ in IBM Bluemix
2018-08-09 04:20:36
redhat
redhat
(RHSA-2017:0002) Important: rh-nodejs4-nodejs and rh-nodejs4-http-parser security update
2017-01-02 15:33:44
(RHSA-2016:1940) Important: openssl security update
2016-09-27 11:50:45
(RHSA-2017:1658) Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update
2017-06-28 19:58:57
mageia
mageia
Updated nodejs packages fix security vulnerability
2017-07-13 12:10:46
Updated openssl packages fix security vulnerabilities
2016-10-12 01:12:20
threatpost
threatpost
OpenSSL Patches High-Severity OCSP Bug, Mitigates SWEET32 Attack
2016-09-23 15:47:13
OpenSSL Fixes Critical Bug Introduced by Latest Update
2016-09-26 10:45:04
nodejsblog
nodejsblog
Security updates for all active release lines, September 2016
2016-09-23 00:00:00
Security updates for all active release lines, June 2016
2016-06-13 00:00:00
oraclelinux
oraclelinux
openssl security update
2016-10-13 00:00:00
openssl security update
2016-09-27 00:00:00
aix
aix
Vulnerabilities in OpenSSL affect AIX
2016-11-14 13:29:26
fedora
fedora
[SECURITY] Fedora 24 Update: openssl-1.0.2j-1.fc24
2016-09-28 01:57:16
[SECURITY] Fedora 25 Update: openssl-1.0.2j-1.fc25
2016-10-09 03:28:42
[SECURITY] Fedora 23 Update: openssl-1.0.2j-1.fc23
2016-10-11 23:24:05
centos
centos
openssl security update
2016-09-28 14:48:04
gentoo
gentoo
OpenSSL: Multiple vulnerabilities
2016-12-07 00:00:00
f5
f5
K24444803 : Node.js vulnerabilities CVE-2015-8860, CVE-2015-8856, CVE-2016-7099, and CVE-2016-5325
2018-10-17 00:00:00
SOL39272405 - OpenSSL vulnerability CVE-2016-7052
2016-10-10 00:00:00
SOL90492697 - OpenSSL vulnerability CVE-2016-6306
2016-10-24 00:00:00
cloudfoundry
cloudfoundry
USN-3087-2 OpenSSL Regression | Cloud Foundry
2016-09-28 00:00:00
archlinux
archlinux
[ASA-201609-24] lib32-openssl: multiple issues
2016-09-26 00:00:00
[ASA-201609-23] openssl: multiple issues
2016-09-26 00:00:00
[ASA-201609-28] lib32-openssl: denial of service
2016-09-27 00:00:00
osv
osv
openssl - security update
2016-09-25 00:00:00
openssl - security update
2016-09-22 00:00:00
openssl - regression update
2016-09-22 00:00:00
debian
debian
[SECURITY] [DLA 637-1] openssl security update
2016-09-25 11:55:01
[SECURITY] [DSA 3673-1] openssl security update
2016-09-22 16:50:14
altlinux
altlinux
Security fix for the ALT Linux 7 package openssl10 version 1.0.1u-alt0.M70P.1
2016-09-23 00:00:00
ubuntu
ubuntu
OpenSSL regression
2016-09-23 00:00:00
OpenSSL vulnerabilities
2016-09-22 00:00:00
huawei
huawei
Security Advisory - Sixteen OpenSSL Vulnerabilities on Some Huawei products
2017-03-22 00:00:00
cisco
cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
2016-09-27 22:40:00
prion
prion
Design/Logic Flaw
2016-10-10 16:59:00
Crlf injection
2016-10-10 16:59:00
Null pointer dereference
2016-09-26 19:59:00
ubuntucve
ubuntucve
CVE-2016-7099
2016-10-10 00:00:00
CVE-2016-5325
2016-10-10 00:00:00
redhatcve
redhatcve
CVE-2016-5325
2016-06-15 16:19:00
CVE-2016-7099
2016-09-28 06:47:27
cve
cve
CVE-2016-7099
2016-10-10 16:59:00
CVE-2016-5325
2016-10-10 16:59:00
CVE-2016-7052
2016-09-26 19:59:00
debiancve
debiancve
CVE-2016-7099
2016-10-10 16:59:00
CVE-2016-5325
2016-10-10 16:59:00
veracode
veracode
Man-in-the-Middle (MitM)
2018-09-24 07:23:39
HTTP Response Splitting
2018-09-24 05:08:11
openssl
openssl
Vulnerability in OpenSSL CVE-2016-7052
2016-09-26 00:00:00
slackware
slackware
[slackware-security] openssl
2016-09-26 18:59:48
JSON
Related for OPENSUSE-2016-1172.NASL
suse12openvas31nessus39ibm62redhat4mageia2threatpost2nodejsblog2oraclelinux2aix1fedora5centos1gentoo1f53cloudfoundry1archlinux4osv3debian2altlinux1ubuntu2huawei1cisco1prion4ubuntucve2redhatcve2cve3debiancve2veracode2openssl1slackware1