File _patchinfo of Package patchinfo.7998

<patchinfo incident="7998">
  <issue id="1087459" tracker="bnc">VUL-1: CVE-2018-7158: nodejs4,nodejs6,nodejs: path module regular expression denial of service</issue>
  <issue id="1087453" tracker="bnc">VUL-1: CVE-2018-7159: nodejs4,nodejs6,nodejs: HTTP parser allowed for spaces inside Content-Length header values</issue>
  <issue id="2018-7158" tracker="cve" />
  <issue id="2018-7159" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>adamm</packager>
  <description>This update for nodejs4 fixes the following issues:

- Fix some node-gyp permissions

- New upstream maintenance 4.9.1:
  * Security fixes:
    + CVE-2018-7158: Fix for 'path' module regular expression denial of service (bsc#1087459)
    + CVE-2018-7159: Reject spaces in HTTP Content-Length header values (bsc#1087453)
  * Upgrade to OpenSSL 1.0.2o
  * deps: reject interior blanks in Content-Length
  * deps: upgrade http-parser to v2.8.0

- remove any old manpage files in %pre from before update-alternatives
  were used to manage symlinks to these manpages.

- Add Recommends and BuildRequire on python2 for npm. node-gyp
  requires this old version of python for now. This is only needed
  for binary modules.

- even on recent codestreams there is no binutils gold on s390
  only on s390x

- Enable CI tests in %check target
  
This update was imported from the SUSE:SLE-12:Update update project.</description>
  <summary>Security update for nodejs4</summary>
</patchinfo>
openSUSE Build Service is sponsored by