File _patchinfo of Package patchinfo.6331

<patchinfo incident="6331">
  <issue id="1056058" tracker="bnc">VUL-1: CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read</issue>
  <issue id="1072322" tracker="bnc">VUL-0: CVE-2017-15896: nodejs4,nodejs6: Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to theuse of SSL_read() due to TLS handshake failure. The result was that an activenetwork attacker could send application data</issue>
  <issue id="1066242" tracker="bnc">VUL-0: CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64</issue>
  <issue id="2017-3735" tracker="cve" />
  <issue id="2017-3736" tracker="cve" />
  <issue id="2017-15896" tracker="cve" />
  <issue id="2017-3738" tracker="cve" />
  <issue id="2017-14919" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>adamm</packager>
  <description>This update for nodejs4 fixes the following issues:

Security issues fixed:

- CVE-2017-15896: Vulnerable to CVE-2017-3737 due to embedded OpenSSL (bsc#1072322).
- CVE-2017-14919: Embedded zlib issue could cause a DoS via specific windowBits value.
- CVE-2017-3738: Embedded OpenSSL is vulnerable to rsaz_1024_mul_avx2 overflow bug on x86_64.
- CVE-2017-3736: Embedded OpenSSL is vulnerable to bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242).
- CVE-2017-3735: Embedded OpenSSL is vulnerable to malformed X.509 IPAdressFamily that could cause OOB read (bsc#1056058).

Bug fixes:

- Update to release 4.8.7 (bsc#1072322):
  * https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
  * https://nodejs.org/en/blog/release/v4.8.7/
  * https://nodejs.org/en/blog/release/v4.8.6/
  * https://nodejs.org/en/blog/release/v4.8.5/
</description>
  <summary>Security update for nodejs4</summary>
</patchinfo>