The following flaw was reported in Node.js: This is a high severity defect that would allow a malicious TLS server to serve an invalid wildcard certificate for its hostname and be improperly validated by a Node.js client. This is due to a flaw in the validation of *. in the wildcard name string. External References: https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
Created nodejs tracking bugs for this issue: Affects: fedora-all [bug 1379922]
Upstream commit: 0.10.x https://github.com/nodejs/node/commit/0d7e21ee7bcc79046f898f8c202d2ec87d23d711 4.x https://github.com/nodejs/node/commit/3ff82deb2c3bd580d64be75dbafe460393c952fb
Marking nodejs010-nodejs as WONTFIX because nodejs010 is past EOL. For further information regarding Software Collection package life cycle policy, see : https://access.redhat.com/support/policy/updates/rhscl/
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Via RHSA-2017:0002 https://rhn.redhat.com/errata/RHSA-2017-0002.html
Openshift Enterprise points to rhscl/nodejs-4-rhel7 image which includes node 4.6.2, see: https://github.com/openshift/library/blob/master/official/nodejs/imagestreams/nodejs-rhel7.json Marking Openshift Enterprise as notaffected.