Security update for nodejs4 (important)

2016-11-01T16:19:35
ID SUSE-SU-2016:2470-2
Type suse
Reporter Suse
Modified 2016-11-01T16:19:35

Description

This update brings the new upstream nodejs LTS version 4.6.0, fixing bugs and security issues:

  • Nodejs embedded openssl version update
    • upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183, CVE-2016-2178, CVE-2016-6306, CVE-2016-7052)
    • remove support for dynamic 3rd party engine modules
  • http: Properly validate for allowable characters in input user data. This introduces a new case where throw may occur when configuring HTTP responses, users should already be adopting try/catch here. (CVE-2016-5325, bsc#985201)
  • tls: properly validate wildcard certificates (CVE-2016-7099, bsc#1001652)
  • buffer: Zero-fill excess bytes in new Buffer objects created with Buffer.concat()