<vuln vid="28bb6ee5-9b5c-11e6-b799-19bef72f4b7c">

    <topic>node.js -- ares_create_query single byte out of buffer write</topic>

    <affects>

      <package>

	<name>node010</name>

	<range><lt>0.10.48</lt></range>

      </package>

      <package>

	<name>node012</name>

	<range><lt>0.12.17</lt></range>

      </package>

      <package>

	<name>node4</name>

	<range><lt>4.6.1</lt></range>

      </package>

    </affects>

    <description>

      <body xmlns="http://www.w3.org/1999/xhtml">

	<p>Node.js has released new verions containing the following security fix:</p>

	<blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/">

	  <p>The following releases all contain fixes for CVE-2016-5180 "ares_create_query single

	    byte out of buffer write": Node.js v0.10.48 (Maintenance), Node.js v0.12.17 (Maintenance),

	Node.js v4.6.1 (LTS "Argon")

	  </p>

	  <p>While this is not a critical update, all users of these release lines should upgrade at

		their earliest convenience.

	  </p>

	</blockquote>

      </body>

    </description>

    <references>

      <url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url>

      <cvename>CVE-2016-5180</cvename>

    </references>

    <dates>

      <discovery>2016-10-18</discovery>

      <entry>2016-10-26</entry>

    </dates>

  </vuln>

  <vuln vid="27180c99-9b5c-11e6-b799-19bef72f4b7c">

   <topic>node.js -- multiple vulnerabilities</topic>

    <affects>

      <package>

	<name>node</name>

	<range><ge>6.0.0</ge><lt>6.9.0</lt></range>

      </package>

    </affects>

    <description>

      <body xmlns="http://www.w3.org/1999/xhtml">

	<p>Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x:</p>

	<blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/">

	  <p>Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL

	    configuration file, from the OPENSSL_CONF environment variable or from the default

	    location for the current platform. Always triggering a configuration file load attempt

	    may allow an attacker to load compromised OpenSSL configuration into a Node.js process

	    if they are able to place a file in a default location.

	  </p>

	  <p>Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes,

	    potentially allowing an attacker to obtain sensitive information from arbitrary memory

	    locations via crafted JavaScript code. This vulnerability would require an attacker to

	    be able to execute arbitrary JavaScript code in a Node.js process.

	  </p>

	  <p>Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of

	    the inspector. This provides additional security to prevent unauthorized clients from

	    connecting to the Node.js process via the v8_inspector port when running with --inspect.

	    Since the debugging protocol allows extensive access to the internals of a running process,

	    and the execution of arbitrary code, it is important to limit connections to authorized

	    tools only. Note that the v8_inspector protocol in Node.js is still considered an

	    experimental feature. Vulnerability originally reported by Jann Horn.

	  </p>

	  <p>All of these vulnerabilities are considered low-severity for Node.js users, however,

	    users of Node.js v6.x should upgrade at their earliest convenience.</p>

	</blockquote>

      </body>

    </description>

    <references>

      <url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url>

      <cvename>CVE-2016-5172</cvename>

    </references>

    <dates>

      <discovery>2016-10-18</discovery>

      <entry>2016-10-26</entry>

   </dates>

  </vuln>