Security update for nodejs SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:0604-1 Final 1 1 2016-02-28T21:25:51Z current 2016-02-28T21:25:51Z 2016-02-28T21:25:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs This update for nodejs fixes the following issues: - CVE-2016-2216: Response splitting vulnerability using Unicode characters (boo#966076) - CVE-2016-2086: Request smuggling vulnerability (boo#966077) Node.js was updated to the 4.3.1 LTS version, containing all upstream bug fixes and improvements. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-02/msg00165.html E-Mail link for openSUSE-SU-2016:0604-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 nodejs-4.3.1-24.1 nodejs-devel-4.3.1-24.1 nodejs-docs-4.3.1-24.1 npm-4.3.1-24.1 nodejs-4.3.1-24.1 as a component of openSUSE Leap 42.1 nodejs-devel-4.3.1-24.1 as a component of openSUSE Leap 42.1 nodejs-docs-4.3.1-24.1 as a component of openSUSE Leap 42.1 npm-4.3.1-24.1 as a component of openSUSE Leap 42.1 Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. CVE-2016-2086 openSUSE Leap 42.1:nodejs-4.3.1-24.1 openSUSE Leap 42.1:nodejs-devel-4.3.1-24.1 openSUSE Leap 42.1:nodejs-docs-4.3.1-24.1 openSUSE Leap 42.1:npm-4.3.1-24.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00165.html https://www.suse.com/security/cve/CVE-2016-2086.html CVE-2016-2086 https://bugzilla.suse.com/966076 SUSE Bug 966076 https://bugzilla.suse.com/966077 SUSE Bug 966077 The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a. CVE-2016-2216 openSUSE Leap 42.1:nodejs-4.3.1-24.1 openSUSE Leap 42.1:nodejs-devel-4.3.1-24.1 openSUSE Leap 42.1:nodejs-docs-4.3.1-24.1 openSUSE Leap 42.1:npm-4.3.1-24.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00165.html https://www.suse.com/security/cve/CVE-2016-2216.html CVE-2016-2216 https://bugzilla.suse.com/966076 SUSE Bug 966076 https://bugzilla.suse.com/966077 SUSE Bug 966077