Overview

File _patchinfo of Package patchinfo.3284

<patchinfo incident="3284">
  <issue id="985201" tracker="bnc">VUL-0: CVE-2016-5325: nodejs, nodejs4: HTTP processing security defect</issue>
  <issue id="1001652" tracker="bnc">VUL-0: CVE-2016-7099: nodejs, nodejs4: wildcard certificates not properly validated</issue>
  <issue id="2016-6304" tracker="cve" />
  <issue id="2016-6306" tracker="cve" />
  <issue id="2016-2178" tracker="cve" />
  <issue id="2016-2183" tracker="cve" />
  <issue id="2016-5325" tracker="cve" />
  <issue id="2016-7099" tracker="cve" />
  <issue id="2016-7052" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>adamm</packager>
  <description>
This update brings the new upstream nodejs LTS version 4.6.0, fixing bugs
and security issues:

* Nodejs embedded openssl version update
    + upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183, CVE-2016-2178,
      CVE-2016-6306, CVE-2016-7052)
    + remove support for dynamic 3rd party engine modules
* http: Properly validate for allowable characters in input
  user data. This introduces a new case where throw may occur
  when configuring HTTP responses, users should already
  be adopting try/catch here. (CVE-2016-5325, bsc#985201)
* tls: properly validate wildcard certificates
  (CVE-2016-7099, bsc#1001652)
* buffer: Zero-fill excess bytes in new Buffer objects created
  with Buffer.concat()
</description>
  <summary>Security update for nodejs4</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places