File _patchinfo of Package patchinfo.7016

<patchinfo incident="7016">
  <issue id="1087459" tracker="bnc">VUL-1: CVE-2018-7158: nodejs4,nodejs6,nodejs: path module regular expression denial of service</issue>
  <issue id="1087453" tracker="bnc">VUL-1: CVE-2018-7159: nodejs4,nodejs6,nodejs: HTTP parser allowed for spaces inside Content-Length header values</issue>
  <issue id="1087463" tracker="bnc">VUL-0: CVE-2018-7160: nodejs4,nodejs6,nodejs: Inspector DNS rebinding vulnerability</issue>
  <issue id="2018-7158" tracker="cve" />
  <issue id="2018-7159" tracker="cve" />
  <issue id="2018-7160" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>adamm</packager>
  <description>This update for nodejs6 fixes the following issues:

- Fix some node-gyp permissions

- New upstream LTS release 6.14.1:
  * Security fixes:
    + CVE-2018-7160: Fix for inspector DNS rebinding vulnerability (bsc#1087463)
    + CVE-2018-7158: Fix for 'path' module regular expression denial of service (bsc#1087459)
    + CVE-2018-7159: Reject spaces in HTTP Content-Length header values
      (bsc#1087453)

- New upstream LTS release 6.13.1:
  * http,tls: better support for IPv6 addresses
  * console: added console.count() and console.clear()
  * crypto:
    + expose ECDH class
    + added cypto.randomFill() and crypto.randomFillSync()
    + warn on invalid authentication tag length
  * deps: upgrade libuv to 1.16.1
  * dgram: added socket.setMulticastInterface()
  * http: add agent.keepSocketAlive and agent.reuseSocket as to
    allow overridable keep-alive behavior of Agent
  * lib: return this from net.Socket.end()
  * module: add builtinModules api that provides list of all
    builtin modules in Node
  * net: return this from getConnections()
  * promises: more robust stringification for unhandled rejections
  * repl: improve require() autocompletion
  * src:
    + add openssl-system-ca-path configure option
    + add --use-bundled-ca --use-openssl-ca check
    + add process.ppid
  * tls: accept lookup option for tls.connect()
  * tools,build: a new macOS installer!
  * url: WHATWG URL api support
  * util: add %i and %f formatting specifiers
- remove any old manpage files in %pre from before update-alternatives
  were used to manage symlinks to these manpages.

- Add Recommends and BuildRequire on python2 for npm. node-gyp
  requires this old version of python for now. This is only needed
  for binary modules.

- even on recent codestreams there is no binutils gold on s390
  only on s390x

- New upstream LTS release 6.12.3:
  * v8: profiler-related fixes
  * mostly documentation and test related changes

- Enable CI tests in %check target
</description>
  <summary>Security update for nodejs6</summary>
</patchinfo>