{"affected":[{"ecosystem_specific":{"binaries":[{"nodejs4":"4.6.0-8.1","nodejs4-devel":"4.6.0-8.1","nodejs4-docs":"4.6.0-8.1","npm4":"4.6.0-8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Web and Scripting 12","name":"nodejs4","purl":"pkg:rpm/suse/nodejs4&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.6.0-8.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"\nThis update brings the new upstream nodejs LTS version 4.6.0, fixing bugs\nand security issues:\n\n* Nodejs embedded openssl version update\n    + upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183, CVE-2016-2178,\n      CVE-2016-6306, CVE-2016-7052)\n    + remove support for dynamic 3rd party engine modules\n* http: Properly validate for allowable characters in input\n  user data. This introduces a new case where throw may occur\n  when configuring HTTP responses, users should already\n  be adopting try/catch here. (CVE-2016-5325, bsc#985201)\n* tls: properly validate wildcard certificates\n  (CVE-2016-7099, bsc#1001652)\n* buffer: Zero-fill excess bytes in new Buffer objects created\n  with Buffer.concat()\n","id":"SUSE-SU-2016:2470-2","modified":"2016-10-06T14:39:43Z","published":"2016-10-06T14:39:43Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2016/suse-su-20162470-2/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1001652"},{"type":"REPORT","url":"https://bugzilla.suse.com/985201"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-2178"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-2183"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-5325"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-6304"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-6306"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-7052"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-7099"}],"related":["CVE-2016-2178","CVE-2016-2183","CVE-2016-5325","CVE-2016-6304","CVE-2016-6306","CVE-2016-7052","CVE-2016-7099"],"summary":"Security update for nodejs4","upstream":["CVE-2016-2178","CVE-2016-2183","CVE-2016-5325","CVE-2016-6304","CVE-2016-6306","CVE-2016-7052","CVE-2016-7099"]}