Security update for nodejs4 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0088-1 Final 1 1 2019-01-25T15:09:21Z current 2019-01-25T15:09:21Z 2019-01-25T15:09:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs4 This update for nodejs4 fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed a timing vulnerability in the DSA signature generation (bsc#1113652) - CVE-2018-5407: Fixed a hyperthread port content side channel attack (aka 'PortSmash') (bsc#1113534) - CVE-2018-12120: Fixed that the debugger listens on any interface by default (bsc#1117625) - CVE-2018-12121: Fixed a denial of Service with large HTTP headers (bsc#1117626) - CVE-2018-12122: Fixed the 'Slowloris' HTTP Denial of Service (bsc#1117627) - CVE-2018-12116: Fixed HTTP request splitting (bsc#1117630) - CVE-2018-12123: Fixed hostname spoofing in URL parser for javascript protocol (bsc#1117629) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00035.html E-Mail link for openSUSE-SU-2019:0088-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 nodejs4-4.9.1-20.1 nodejs4-devel-4.9.1-20.1 nodejs4-docs-4.9.1-20.1 npm4-4.9.1-20.1 nodejs4-4.9.1-20.1 as a component of openSUSE Leap 42.3 nodejs4-devel-4.9.1-20.1 as a component of openSUSE Leap 42.3 nodejs4-docs-4.9.1-20.1 as a component of openSUSE Leap 42.3 npm4-4.9.1-20.1 as a component of openSUSE Leap 42.3 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). CVE-2018-0734 openSUSE Leap 42.3:nodejs4-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-devel-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-docs-4.9.1-20.1 openSUSE Leap 42.3:npm4-4.9.1-20.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00035.html https://www.suse.com/security/cve/CVE-2018-0734.html CVE-2018-0734 https://bugzilla.suse.com/1113534 SUSE Bug 1113534 https://bugzilla.suse.com/1113652 SUSE Bug 1113652 https://bugzilla.suse.com/1113742 SUSE Bug 1113742 https://bugzilla.suse.com/1122198 SUSE Bug 1122198 https://bugzilla.suse.com/1122212 SUSE Bug 1122212 https://bugzilla.suse.com/1126909 SUSE Bug 1126909 Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. CVE-2018-12116 openSUSE Leap 42.3:nodejs4-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-devel-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-docs-4.9.1-20.1 openSUSE Leap 42.3:npm4-4.9.1-20.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00035.html https://www.suse.com/security/cve/CVE-2018-12116.html CVE-2018-12116 https://bugzilla.suse.com/1117630 SUSE Bug 1117630 Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable. CVE-2018-12120 openSUSE Leap 42.3:nodejs4-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-devel-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-docs-4.9.1-20.1 openSUSE Leap 42.3:npm4-4.9.1-20.1 critical Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00035.html https://www.suse.com/security/cve/CVE-2018-12120.html CVE-2018-12120 https://bugzilla.suse.com/1117625 SUSE Bug 1117625 Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer. CVE-2018-12121 openSUSE Leap 42.3:nodejs4-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-devel-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-docs-4.9.1-20.1 openSUSE Leap 42.3:npm4-4.9.1-20.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00035.html https://www.suse.com/security/cve/CVE-2018-12121.html CVE-2018-12121 https://bugzilla.suse.com/1117626 SUSE Bug 1117626 https://bugzilla.suse.com/1127532 SUSE Bug 1127532 Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. CVE-2018-12122 openSUSE Leap 42.3:nodejs4-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-devel-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-docs-4.9.1-20.1 openSUSE Leap 42.3:npm4-4.9.1-20.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00035.html https://www.suse.com/security/cve/CVE-2018-12122.html CVE-2018-12122 https://bugzilla.suse.com/1117627 SUSE Bug 1117627 Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect. CVE-2018-12123 openSUSE Leap 42.3:nodejs4-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-devel-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-docs-4.9.1-20.1 openSUSE Leap 42.3:npm4-4.9.1-20.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00035.html https://www.suse.com/security/cve/CVE-2018-12123.html CVE-2018-12123 https://bugzilla.suse.com/1117629 SUSE Bug 1117629 Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'. CVE-2018-5407 openSUSE Leap 42.3:nodejs4-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-devel-4.9.1-20.1 openSUSE Leap 42.3:nodejs4-docs-4.9.1-20.1 openSUSE Leap 42.3:npm4-4.9.1-20.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00035.html https://www.suse.com/security/cve/CVE-2018-5407.html CVE-2018-5407 https://bugzilla.suse.com/1113534 SUSE Bug 1113534 https://bugzilla.suse.com/1116195 SUSE Bug 1116195 https://bugzilla.suse.com/1126909 SUSE Bug 1126909