Security update for nodejs8
This update for nodejs8 to version 8.11.3 fixes the following issues:
These security issues were fixed:
- CVE-2018-7167: Calling Buffer.fill() or Buffer.alloc() with some parameters
could have lead to a hang which could have resulted in a DoS (bsc#1097375).
- CVE-2018-7161: By interacting with the http2 server in a manner that
triggered a cleanup bug where objects are used in native code after they are no
longer available an attacker could have caused a denial of service (DoS) by
causing a node server providing an http2 server to crash (bsc#1097404).
- CVE-2018-1000168: Fixed a denial of service vulnerability by unbundling
nghttp2 (bsc#1097401)
This update was imported from the SUSE:SLE-15:Update update project.
-
Submitted by
Adam Majer (adamm)
Fixed bugs
bnc#1097404
VUL-0: CVE-2018-7161: nodejs8: Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
bnc#1091764
[staging] FTBFS: nojdejs8 fails to build against icu 61.1
bnc#1097375
VUL-0: CVE-2018-7167: nodejs4,nodejs6,nodejs8: Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
bnc#1097401
VUL-0: CVE-2018-1000168: nodejs8: nghttp2: ALTSVC frame client side DoS
