-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Application Runtimes Node.js 8.11.4 security update
Advisory ID:       RHSA-2018:2552-01
Product:           Red Hat OpenShift Application Runtimes
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2552
Issue date:        2018-08-22
Keywords:          Node.js
CVE Names:         CVE-2018-0732 CVE-2018-12115 
====================================================================
1. Summary:

An update is now available for Red Hat OpenShift Application Runtimes.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Application Runtimes Node.js 8 - noarch, x86_64

3. Description:

Red Hat Openshift Application Runtimes provides an application platform
that reduces the complexity of developing and operating applications
(monoliths and microservices) for OpenShift as a containerized platform.

This release of RHOAR Node.js 8.11.4 serves as a replacement for RHOAR
Node.js 8.11.3, and includes bug fixes and enhancements. For further
information, refer to the Release Notes linked to in the References
section.

Security Fix(es):

* openssl: Malicious server can send large prime to client during DH(E) TLS
handshake causing the client to hang (CVE-2018-0732)

* nodejs: Out of bounds (OOB) write via UCS-2 encoding (CVE-2018-12115)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1591100 - CVE-2018-0732 openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang
1620219 - CVE-2018-12115 nodejs: Out of bounds (OOB) write via UCS-2 encoding

6. JIRA issues fixed (https://issues.redhat.com/):

NODE-153 - Productisation (Node CVE-2018-12115): Out of bounds (OOB) write
NODE-154 - Productisation (OpenSSL  (CVE-2018-0732): Client DoS due to large DH parameter
NODE-155 - Productisation (OpenSSL CVE not assigned): ECDSA key extraction via local side-channel
NODE-160 - Productisation (Errata): Build Node 8.11.4 RPMs

7. Package List:

Red Hat OpenShift Application Runtimes Node.js 8:

Source:
rhoar-nodejs-8.11.4-2.el7.src.rpm

noarch:
rhoar-nodejs-docs-8.11.4-2.el7.noarch.rpm

x86_64:
npm-5.6.0-1.8.11.4.2.el7.x86_64.rpm
rhoar-nodejs-8.11.4-2.el7.x86_64.rpm
rhoar-nodejs-debuginfo-8.11.4-2.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2018-0732
https://access.redhat.com/security/cve/CVE-2018-12115
https://access.redhat.com/security/updates/classification/#moderate
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

9. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW33SIdzjgjWX9erEAQh0fQ/9GdhX+/xfTe2HtglaQE+jvMP+JPiOorev
ajhLAbVYTM0W/T9PaQTllMOvQ8Hz7tk6Tx6CryKpREK7mGEprlp5npPQemNX9S1J
gaP6WQCuOX6yKTQC93a83FUpsFduwXX5MnCDnXbYDItnXaDfAXwPB/R1DM0R+uYL
1TiD7P2X+UfhW40GX4vhjjWaoxM5CvW3iRVMRXpf06tS2FMlIlADp89doNzXIpY1
cREKFlXaLxZt2FttP9tJATqqXDyW23prfWVpJJEHXPAxMhRfqZBjh+ftVEobOGQg
8gH1IQBsDYg5WSoWfWcZKeePi1bJmBXfR2nLnNRLGASZ+/0NMFuLtXGzucjon8nL
tyzyOAwBmWDOmGnHwPJMZZ7YrH9HsiRWvCMTsasg0/60G6jrazqGqUmQSlxLHkxy
ZD7MepPU3MUOHJrlXNw73pWtXdE5Z4Wjv9duuBZEo+s0rXfq7Ufq7r5D1fIgjLte
yhVooLS+98ypMlSFTsqdhxo8OH7ENroTo9pqa0SYpKig1/ODMnnAt/d8hPja0nzW
By8uX93OXsyR120HwAlnEVHZINoqsU/z8iEOd/o4He4wr12tUWssyuRHLEZEUe9y
KP76uM62Vp5fMrVXTwjUwK5Zj5ajWv9QMcmq/RSLy0k8nhaS8rlkgbk6Ltg69mCo
G6ct7pDZgFQ=tMx/
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2018-2552:01 Moderate: Red Hat OpenShift Application Runtimes

An update is now available for Red Hat OpenShift Application Runtimes

Summary

Red Hat Openshift Application Runtimes provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.
This release of RHOAR Node.js 8.11.4 serves as a replacement for RHOAR Node.js 8.11.3, and includes bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.
Security Fix(es):
* openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang (CVE-2018-0732)
* nodejs: Out of bounds (OOB) write via UCS-2 encoding (CVE-2018-12115)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2018-0732 https://access.redhat.com/security/cve/CVE-2018-12115 https://access.redhat.com/security/updates/classification/#moderate https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

Package List

Red Hat OpenShift Application Runtimes Node.js 8:
Source: rhoar-nodejs-8.11.4-2.el7.src.rpm
noarch: rhoar-nodejs-docs-8.11.4-2.el7.noarch.rpm
x86_64: npm-5.6.0-1.8.11.4.2.el7.x86_64.rpm rhoar-nodejs-8.11.4-2.el7.x86_64.rpm rhoar-nodejs-debuginfo-8.11.4-2.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2018:2552-01
Product: Red Hat OpenShift Application Runtimes
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2552
Issued Date: : 2018-08-22
Keywords: Node.js
CVE Names: CVE-2018-0732 CVE-2018-12115

Topic

An update is now available for Red Hat OpenShift Application Runtimes.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat OpenShift Application Runtimes Node.js 8 - noarch, x86_64


Bugs Fixed

1591100 - CVE-2018-0732 openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang

1620219 - CVE-2018-12115 nodejs: Out of bounds (OOB) write via UCS-2 encoding

6. JIRA issues fixed (https://issues.redhat.com/):

NODE-153 - Productisation (Node CVE-2018-12115): Out of bounds (OOB) write

NODE-154 - Productisation (OpenSSL (CVE-2018-0732): Client DoS due to large DH parameter

NODE-155 - Productisation (OpenSSL CVE not assigned): ECDSA key extraction via local side-channel

NODE-160 - Productisation (Errata): Build Node 8.11.4 RPMs


Related News

4.Lock AbstractDigital Esm H320
1 - 2 min read
Nmap 7.95 introduces myriad enhancements, primarily focusing on OS and service detection signatures. This reflects the dedication of the Nmap
5.ShakingHands Esm H320
3 - 5 min read
There has been a promising shift in the tech industry, with major companies pledging to release products with built-in security features. This
18.WifiCutout Landscape Esm H320
2 - 3 min read
A novel attack called TunnelVision has been discovered. It compromises the security of virtually all VPN apps, rendering their purpose useless. The
21.Globe RadiatingCode Esm H320
2 - 3 min read
The recent discovery of a backdoor in XZ Utils , a widely used Linux tool, raises concerns about the security of the open-source ecosystem. While
13.Lock StylizedMotherboard Esm H320
1 - 2 min read
Spiral Linux is a Debian-based distribution that offers a range of desktop environments, making it stand out from other Linux distributions. In
32.Lock Code Circular Esm H320
2 - 3 min read
Two critical security vulnerabilities were found in pgAdmin, the open-source administration tool for PostgreSQL . The vulnerabilities assigned
1.Penguin Landscape Esm H320
2 - 3 min read
The recent release of AlmaLinux 9.4 , closely aligned with Red Hat Enterprise Linux (RHEL) 9.4 , presents Linux admins and infosec professionals
11.Locks IsometricPattern Esm H320
2 - 3 min read
The upcoming release of Linux Mint 22 will introduce significant changes, particularly in handling XApp , GNOME applications, and the Software

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved