FreeBSD Bugzilla – Attachment 176180 Details for
Bug 213800
security/vuxml: add entries for recent node.js vulnerabilities
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
node.js vuxml entries for the October security releases
nodejs-vuxml-entries.diff (text/plain), 4.56 KB, created by
Bradley T. Hughes
on 2016-10-26 09:51:00 UTC
(
hide
)
Description:
node.js vuxml entries for the October security releases
Filename:
MIME Type:
Creator:
Bradley T. Hughes
Created:
2016-10-26 09:51:00 UTC
Size:
4.56 KB
patch
obsolete
>commit b62ffcac20294cd9b553851577b7c2ae2204d927 >Author: Bradley T. Hughes <bradleythughes@fastmail.fm> >Date: Wed Oct 26 09:11:33 2016 +0000 > > security/vuxml: add entries for recent node.js vulnerabilities > > There are 2 entres: one for the c-ares bundled dependency and one for > multiple v6.x specific vulnerabilities. > > https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/ > >diff --git security/vuxml/vuln.xml security/vuxml/vuln.xml >index 5370805..6ce556d 100644 >--- security/vuxml/vuln.xml >+++ security/vuxml/vuln.xml >@@ -58,6 +58,92 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="28bb6ee5-9b5c-11e6-b799-19bef72f4b7c"> >+ <topic>node.js -- ares_create_query single byte out of buffer write</topic> >+ <affects> >+ <package> >+ <name>node010</name> >+ <range><lt>0.10.48</lt></range> >+ </package> >+ <package> >+ <name>node012</name> >+ <range><lt>0.12.17</lt></range> >+ </package> >+ <package> >+ <name>node4</name> >+ <range><lt>4.6.1</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Node.js has released new verions containing the following security fix:</p> >+ <blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/"> >+ <p>The following releases all contain fixes for CVE-2016-5180 "ares_create_query single >+ byte out of buffer write": Node.js v0.10.48 (Maintenance), Node.js v0.12.17 (Maintenance), >+ Node.js v4.6.1 (LTS "Argon") >+ </p> >+ <p>While this is not a critical update, all users of these release lines should upgrade at >+ their earliest convenience. >+ </p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url> >+ <cvename>CVE-2016-5180</cvename> >+ </references> >+ <dates> >+ <discovery>2016-10-18</discovery> >+ <entry>2016-10-26</entry> >+ </dates> >+ </vuln> >+ >+ <vuln vid="27180c99-9b5c-11e6-b799-19bef72f4b7c"> >+ <topic>node.js -- multiple vulnerabilities</topic> >+ <affects> >+ <package> >+ <name>node</name> >+ <range><ge>6.0.0</ge><lt>6.9.0</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x:</p> >+ <blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/"> >+ <p>Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL >+ configuration file, from the OPENSSL_CONF environment variable or from the default >+ location for the current platform. Always triggering a configuration file load attempt >+ may allow an attacker to load compromised OpenSSL configuration into a Node.js process >+ if they are able to place a file in a default location. >+ </p> >+ <p>Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes, >+ potentially allowing an attacker to obtain sensitive information from arbitrary memory >+ locations via crafted JavaScript code. This vulnerability would require an attacker to >+ be able to execute arbitrary JavaScript code in a Node.js process. >+ </p> >+ <p>Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of >+ the inspector. This provides additional security to prevent unauthorized clients from >+ connecting to the Node.js process via the v8_inspector port when running with --inspect. >+ Since the debugging protocol allows extensive access to the internals of a running process, >+ and the execution of arbitrary code, it is important to limit connections to authorized >+ tools only. Note that the v8_inspector protocol in Node.js is still considered an >+ experimental feature. Vulnerability originally reported by Jann Horn. >+ </p> >+ <p>All of these vulnerabilities are considered low-severity for Node.js users, however, >+ users of Node.js v6.x should upgrade at their earliest convenience.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url> >+ <cvename>CVE-2016-5172</cvename> >+ </references> >+ <dates> >+ <discovery>2016-10-18</discovery> >+ <entry>2016-10-26</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="a479a725-9adb-11e6-a298-14dae9d210b8"> > <topic>FreeBSD -- bhyve - privilege escalation vulnerability</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=176180">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
bhughes
:
maintainer-approval?
(
ports-secteam
)
Actions:
View
|
Diff
Attachments on
bug 213800
: 176180