nodejs dev team has announced v0.10.21 for "an undisclosed HTTP vulnerability fix." This is a very crude kludge to put v0.10.21, instead of v0.10.20 as of 0000UTC 19-OCT-2013. See https://groups.google.com/forum/#!msg/nodejs/NEbweYB0ei0/gWvyzCunYjsJ for the details of the severity. Fix: Patch given. Apply this at /usr/local/www/node and rebuild the Port. Patch attached with submission follows: How-To-Repeat: /usr/local/bin/node --version
Maintainer of www/node, Please note that PR ports/183092 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/183092 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Responsible Changed From-To: freebsd-ports-bugs->swills I'll take it.
Author: swills Date: Sat Oct 19 02:48:02 2013 New Revision: 330834 URL: http://svnweb.freebsd.org/changeset/ports/330834 Log: - Update to 0.10.21 to address a security issue PR: ports/183092 Submitted by: Kenji Rikitake <kenji.rikitake@acm.org> Security: 206f9826-a06d-4927-9a85-771c37010b32 Modified: head/security/vuxml/vuln.xml head/www/node/Makefile head/www/node/distinfo Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Oct 19 02:40:28 2013 (r330833) +++ head/security/vuxml/vuln.xml Sat Oct 19 02:48:02 2013 (r330834) @@ -51,6 +51,31 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="206f9826-a06d-4927-9a85-771c37010b32"> + <topic>node.js -- DoS Vulnerability</topic> + <affects> + <package> + <name>node</name> + <range><lt>0.10.21</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>node.js developers report</p> + <blockquote cite="http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/"> + <p>This release contains a security fix for the http server implementation, please upgrade as soon as possible.</p> + </blockquote> + </body> + </description> + <references> + <url>http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/</url> + </references> + <dates> + <discovery>2013-10-19</discovery> + <entry>2013-10-19</entry> + </dates> + </vuln> + <vuln vid="e135f0c9-375f-11e3-80b7-20cf30e32f6d"> <topic>bugzilla -- multiple vulnerabilities</topic> <affects> Modified: head/www/node/Makefile ============================================================================== --- head/www/node/Makefile Sat Oct 19 02:40:28 2013 (r330833) +++ head/www/node/Makefile Sat Oct 19 02:48:02 2013 (r330834) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= node -PORTVERSION= 0.10.19 +PORTVERSION= 0.10.21 CATEGORIES= www MASTER_SITES= http://nodejs.org/dist/v${PORTVERSION}/ DISTNAME= ${PORTNAME}-v${PORTVERSION} Modified: head/www/node/distinfo ============================================================================== --- head/www/node/distinfo Sat Oct 19 02:40:28 2013 (r330833) +++ head/www/node/distinfo Sat Oct 19 02:48:02 2013 (r330834) @@ -1,2 +1,2 @@ -SHA256 (node-v0.10.19.tar.gz) = e50787672cdf6afa6caeef9345ca40c4a69f96a31829a0884ea6ed63dfdde21e -SIZE (node-v0.10.19.tar.gz) = 13627909 +SHA256 (node-v0.10.21.tar.gz) = 7c125bf22c1756064f2a68310d4822f77c8134ce178b2faa6155671a8124140d +SIZE (node-v0.10.21.tar.gz) = 13647047 _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Committed. Thanks!