Overview

File _patchinfo of Package patchinfo.5180

<patchinfo incident="5180">
  <issue id="1041283" tracker="bnc">GCC 7: nodejs4 fails to build</issue>
  <issue id="1048299" tracker="bnc">VUL-0: nodejs4, nodejs6: Constant Hashtable Seeds (CVE pending)</issue>
  <issue id="1041282" tracker="bnc">GCC 7: nodejs6 fails to build</issue>
  <issue id="1044946" tracker="bnc">VUL-0: CVE-2017-1000381: libcares2:  NAPTR parser out of bounds access</issue>
  <issue id="2017-1000381" tracker="cve" />
  <issue id="2017-11499" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>adamm</packager>
  <description>This update for nodejs4 and nodejs6 fixes the following issues:

Security issues fixed:

- CVE-2017-1000381: The c-ares function ares_parse_naptr_reply() could be triggered to read memory
  outside of the given input buffer if the passed in DNS response packet was crafted in a
  particular way. (bsc#1044946)
- CVE-2017-11499: Disable V8 snapshots. The hashseed embedded in the snapshot is currently the same
  for all runs of the binary. This opens node up to collision attacks which could result in a Denial
  of Service. We have temporarily disabled snapshots until a more robust solution is found.
  (bsc#1048299)

Non-security fixes:

- GCC 7 compilation fixes for v8 backported and add missing ICU59 headers (bsc#1041282)
- New upstream LTS release 6.11.1
  * https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6.11.1
- New upstream LTS release 6.11.0
  * https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6.11.0
- New upstream LTS release 6.10.3
  * https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6.10.3
- New upstream LTS release 6.10.2
  * https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6.10.2
- New upstream LTS release 6.10.1
  * https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6.10.1
- New upstream LTS release 6.10.0
  * https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6.10.0

- New upstream LTS release 4.8.4
  * https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V4.md#4.8.4
- New upstream LTS release 4.8.3
  * https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V4.md#4.8.3
- New upstream LTS release 4.8.2
  * https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V4.md#4.8.2
- New upstream LTS release 4.8.1
  * https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V4.md#4.8.1
- New upstream LTS release 4.8.0
  * https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V4.md#4.8.0
</description>
  <summary>Security update for nodejs4, nodejs6</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places