Security update for nodejs8 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:0118-1 Final 1 1 2019-01-18T10:52:58Z current 2019-01-18T10:52:58Z 2019-01-18T10:52:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs8 This update for nodejs8 to version 8.15.0 fixes the following issues: Security issues fixed: - CVE-2018-12121: Fixed a Denial of Service with large HTTP headers (bsc#1117626) - CVE-2018-12122: Fixed the 'Slowloris' HTTP Denial of Service (bsc#1117627) - CVE-2018-12116: Fixed HTTP request splitting (bsc#1117630) - CVE-2018-12123: Fixed hostname spoofing in URL parser for javascript protocol (bsc#1117629) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-118,SUSE-SLE-Module-Web-Scripting-15-2019-118 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20190118-1/ Link for SUSE-SU-2019:0118-1 https://lists.suse.com/pipermail/sle-security-updates/2019-January/005043.html E-Mail link for SUSE-SU-2019:0118-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1117626 SUSE Bug 1117626 https://bugzilla.suse.com/1117627 SUSE Bug 1117627 https://bugzilla.suse.com/1117629 SUSE Bug 1117629 https://bugzilla.suse.com/1117630 SUSE Bug 1117630 https://www.suse.com/security/cve/CVE-2018-12116/ SUSE CVE CVE-2018-12116 page https://www.suse.com/security/cve/CVE-2018-12121/ SUSE CVE CVE-2018-12121 page https://www.suse.com/security/cve/CVE-2018-12122/ SUSE CVE CVE-2018-12122 page https://www.suse.com/security/cve/CVE-2018-12123/ SUSE CVE CVE-2018-12123 page SUSE Linux Enterprise Module for Web and Scripting 15 nodejs8-8.15.0-3.11.1 nodejs8-devel-8.15.0-3.11.1 nodejs8-docs-8.15.0-3.11.1 npm8-8.15.0-3.11.1 nodejs8-8.15.0-3.11.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 nodejs8-devel-8.15.0-3.11.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 nodejs8-docs-8.15.0-3.11.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 npm8-8.15.0-3.11.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. CVE-2018-12116 SUSE Linux Enterprise Module for Web and Scripting 15:nodejs8-8.15.0-3.11.1 SUSE Linux Enterprise Module for Web and Scripting 15:nodejs8-devel-8.15.0-3.11.1 SUSE Linux Enterprise Module for Web and Scripting 15:nodejs8-docs-8.15.0-3.11.1 SUSE Linux Enterprise Module for Web and Scripting 15:npm8-8.15.0-3.11.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190118-1/ https://www.suse.com/security/cve/CVE-2018-12116.html CVE-2018-12116 https://bugzilla.suse.com/1117630 SUSE Bug 1117630 Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer. CVE-2018-12121 SUSE Linux Enterprise Module for Web and Scripting 15:nodejs8-8.15.0-3.11.1 SUSE Linux Enterprise Module for Web and Scripting 15:nodejs8-devel-8.15.0-3.11.1 SUSE Linux Enterprise Module for Web and Scripting 15:nodejs8-docs-8.15.0-3.11.1 SUSE Linux Enterprise Module for Web and Scripting 15:npm8-8.15.0-3.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190118-1/ https://www.suse.com/security/cve/CVE-2018-12121.html CVE-2018-12121 https://bugzilla.suse.com/1117626 SUSE Bug 1117626 https://bugzilla.suse.com/1127532 SUSE Bug 1127532 Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. CVE-2018-12122 SUSE Linux Enterprise Module for Web and Scripting 15:nodejs8-8.15.0-3.11.1 SUSE Linux Enterprise Module for Web and Scripting 15:nodejs8-devel-8.15.0-3.11.1 SUSE Linux Enterprise Module for Web and Scripting 15:nodejs8-docs-8.15.0-3.11.1 SUSE Linux Enterprise Module for Web and Scripting 15:npm8-8.15.0-3.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190118-1/ https://www.suse.com/security/cve/CVE-2018-12122.html CVE-2018-12122 https://bugzilla.suse.com/1117627 SUSE Bug 1117627 Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect. CVE-2018-12123 SUSE Linux Enterprise Module for Web and Scripting 15:nodejs8-8.15.0-3.11.1 SUSE Linux Enterprise Module for Web and Scripting 15:nodejs8-devel-8.15.0-3.11.1 SUSE Linux Enterprise Module for Web and Scripting 15:nodejs8-docs-8.15.0-3.11.1 SUSE Linux Enterprise Module for Web and Scripting 15:npm8-8.15.0-3.11.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190118-1/ https://www.suse.com/security/cve/CVE-2018-12123.html CVE-2018-12123 https://bugzilla.suse.com/1117629 SUSE Bug 1117629