This update for nodejs4 fixes the following issues :
New upstream LTS release 4.7.3 The embedded openssl sources were updated to 1.0.2k (CVE-2017-3731, CVE-2017-3732, CVE-2016-7055, bsc#1022085, bsc#1022086, bsc#1009528)
No changes in LTS version 4.7.2
New upstream LTS release 4.7.1
build: shared library support is now working for AIX builds
repl: passing options to the repl will no longer overwrite defaults
timers: recanceling a cancelled timers will no longer throw
New upstream LTS version 4.7.0
build: introduce the configure --shared option for embedders
debugger: make listen address configurable in debugger server
dgram: generalized send queue to handle close, fixing a potential throw when dgram socket is closed in the listening event handler
http: introduce the 451 status code ‘Unavailable For Legal Reasons’
gtest: the test reporter now outputs tap comments as yamlish
tls: introduce secureContext for tls.connect (useful for caching client certificates, key, and CA certificates)
tls: fix memory leak when writing data to TLSWrap instance during handshake
src: node no longer aborts when c-ares initialization fails
ported and updated system CA store for the new node crypto code
New upstream LTS version 4.6.2
build :
Add missing conflicts to base package. It’s not possible to have concurrent nodejs installations.
enable usage of system certificate store on SLE11SP4 by requiring openssl1 (bsc#1000036)
Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from SUSE update advisory SUSE-SU-2017:0855-1.
# The text itself is copyright (C) SUSE.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(119996);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id("CVE-2016-7055", "CVE-2017-3731", "CVE-2017-3732");
script_name(english:"SUSE SLES12 Security Update : nodejs4 (SUSE-SU-2017:0855-1)");
script_summary(english:"Checks rpm output for the updated packages.");
script_set_attribute(
attribute:"synopsis",
value:"The remote SUSE host is missing one or more security updates."
);
script_set_attribute(
attribute:"description",
value:
"This update for nodejs4 fixes the following issues :
- New upstream LTS release 4.7.3 The embedded openssl
sources were updated to 1.0.2k (CVE-2017-3731,
CVE-2017-3732, CVE-2016-7055, bsc#1022085, bsc#1022086,
bsc#1009528)
- No changes in LTS version 4.7.2
- New upstream LTS release 4.7.1
- build: shared library support is now working for AIX
builds
- repl: passing options to the repl will no longer
overwrite defaults
- timers: recanceling a cancelled timers will no longer
throw
- New upstream LTS version 4.7.0
- build: introduce the configure --shared option for
embedders
- debugger: make listen address configurable in debugger
server
- dgram: generalized send queue to handle close, fixing a
potential throw when dgram socket is closed in the
listening event handler
- http: introduce the 451 status code 'Unavailable For Legal Reasons'
- gtest: the test reporter now outputs tap comments as
yamlish
- tls: introduce secureContext for tls.connect (useful for
caching client certificates, key, and CA certificates)
- tls: fix memory leak when writing data to TLSWrap
instance during handshake
- src: node no longer aborts when c-ares initialization
fails
- ported and updated system CA store for the new node
crypto code
- New upstream LTS version 4.6.2
- build :
+ It is now possible to build the documentation from the
release tarball.
- buffer :
+ Buffer.alloc() will no longer incorrectly return a zero
filled buffer when an encoding is passed.
- deps :
+ Upgrade npm in LTS to 2.15.11.
- repl :
+ Enable tab completion for global properties.
- url :
+ url.format() will now encode all '#' in search.
- Add missing conflicts to base package. It's not possible
to have concurrent nodejs installations.
- enable usage of system certificate store on SLE11SP4 by
requiring openssl1 (bsc#1000036)
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.suse.com/show_bug.cgi?id=1000036"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.suse.com/show_bug.cgi?id=1009528"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.suse.com/show_bug.cgi?id=1022085"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.suse.com/show_bug.cgi?id=1022086"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.suse.com/security/cve/CVE-2016-7055/"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.suse.com/security/cve/CVE-2017-3731/"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.suse.com/security/cve/CVE-2017-3732/"
);
# https://www.suse.com/support/update/announcement/2017/suse-su-20170855-1/
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?39e422ea"
);
script_set_attribute(
attribute:"solution",
value:
"To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :
SUSE Linux Enterprise Module for Web Scripting 12:zypper in -t patch
SUSE-SLE-Module-Web-Scripting-12-2017-476=1
SUSE Enterprise Storage 4:zypper in -t patch SUSE-Storage-4-2017-476=1
To bring your system up-to-date, use 'zypper patch'."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3732");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs4");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs4-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs4-debugsource");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nodejs4-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:npm4");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/04");
script_set_attribute(attribute:"patch_publication_date", value:"2017/03/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/02");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"SuSE Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp);
flag = 0;
if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"nodejs4-4.7.3-14.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"nodejs4-debuginfo-4.7.3-14.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"nodejs4-debugsource-4.7.3-14.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"nodejs4-devel-4.7.3-14.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"npm4-4.7.3-14.1")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nodejs4");
}
Vendor | Product | Version | CPE |
---|---|---|---|
novell | suse_linux | nodejs4 | p-cpe:/a:novell:suse_linux:nodejs4 |
novell | suse_linux | nodejs4-debuginfo | p-cpe:/a:novell:suse_linux:nodejs4-debuginfo |
novell | suse_linux | nodejs4-debugsource | p-cpe:/a:novell:suse_linux:nodejs4-debugsource |
novell | suse_linux | nodejs4-devel | p-cpe:/a:novell:suse_linux:nodejs4-devel |
novell | suse_linux | npm4 | p-cpe:/a:novell:suse_linux:npm4 |
novell | suse_linux | 12 | cpe:/o:novell:suse_linux:12 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7055
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732
www.nessus.org/u?39e422ea
bugzilla.suse.com/show_bug.cgi?id=1000036
bugzilla.suse.com/show_bug.cgi?id=1009528
bugzilla.suse.com/show_bug.cgi?id=1022085
bugzilla.suse.com/show_bug.cgi?id=1022086
www.suse.com/security/cve/CVE-2016-7055/
www.suse.com/security/cve/CVE-2017-3731/
www.suse.com/security/cve/CVE-2017-3732/