Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter. External References: https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1516177] Affects: openshift-1 [bug 1516176]
Upstream bug report: https://github.com/nodejs/node/issues/13082 Patch pull request: https://github.com/nodejs/node/pull/13098 rh-nodejs6-nodejs and rh-nodejs8-nodejs contain the fixed code already. rh-nodejs4-nodejs does not, but we don't ship zlib 1.2.9, so it does not really matter for RHSCL/RHEL.
Openshift Enterprise uses the RHSCL nodejs-4-rhel7 image which doesn't include zlib 1.2.9. Marking as not affected.