From owner-svn-ports-all@freebsd.org  Mon Mar  9 21:54:55 2020
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id ED8D426E697;
 Mon,  9 Mar 2020 21:54:55 +0000 (UTC)
 (envelope-from bhughes@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48bsTC5Gchz4cvn;
 Mon,  9 Mar 2020 21:54:55 +0000 (UTC)
 (envelope-from bhughes@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9841419629;
 Mon,  9 Mar 2020 21:54:55 +0000 (UTC)
 (envelope-from bhughes@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 029Lst1N015937;
 Mon, 9 Mar 2020 21:54:55 GMT (envelope-from bhughes@FreeBSD.org)
Received: (from bhughes@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 029Lssnu015935;
 Mon, 9 Mar 2020 21:54:54 GMT (envelope-from bhughes@FreeBSD.org)
Message-Id: <202003092154.029Lssnu015935@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: bhughes set sender to
 bhughes@FreeBSD.org using -f
From: "Bradley T. Hughes" <bhughes@FreeBSD.org>
Date: Mon, 9 Mar 2020 21:54:54 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r528135 - head/security/vuxml
X-SVN-Group: ports-head
X-SVN-Commit-Author: bhughes
X-SVN-Commit-Paths: head/security/vuxml
X-SVN-Commit-Revision: 528135
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2020 21:54:56 -0000

Author: bhughes
Date: Mon Mar  9 21:54:54 2020
New Revision: 528135
URL: https://svnweb.freebsd.org/changeset/ports/528135

Log:
  security/vuxml: document recent Node.js vulnerabilities
  
  https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
  
  While here, fix errors from `make validate` for the preceeding gitea
  vulnerabilities.
  
  Sponsored by:	Miles AS

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Mon Mar  9 21:29:24 2020	(r528134)
+++ head/security/vuxml/vuln.xml	Mon Mar  9 21:54:54 2020	(r528135)
@@ -58,6 +58,50 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="0032400f-624f-11ea-b495-000d3ab229d6">
+    <topic>Node.js -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>node</name>
+	<range><lt>13.8.0</lt></range>
+      </package>
+      <package>
+	<name>node12</name>
+	<range><lt>12.15.0</lt></range>
+      </package>
+      <package>
+	<name>node10</name>
+	<range><lt>10.19.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Node.js reports:</p>
+	<blockquote cite="https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/">
+	  <p>Updates are now available for all active Node.js release lines for the following issues.</p>
+	  <h1>HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)</h1>
+	  <p>Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system.</p>
+	  <h1>HTTP header values do not have trailing OWS trimmed (High) (CVE-2019-15606)</h1>
+	  <p>Optional whitespace should be trimmed from HTTP header values. Its presence may allow attackers to bypass security checks based on HTTP header values.</p>
+	  <h1>Remotely trigger an assertion on a TLS server with a malformed certificate string (High) (CVE-2019-15604)</h1>
+	  <p>Connecting to a NodeJS TLS server with a client certificate that has a type 19 string in its subjectAltName will crash the TLS server if it tries to read the peer certificate.</p>
+	  <h1>Strict HTTP header parsing (None)</h1>
+	  <p>Increase the strictness of HTTP header parsing. There are no known vulnerabilities addressed, but lax HTTP parsing has historically been a source of problems. Some commonly used sites are known to generate invalid HTTP headers, a --insecure-http-parser CLI option or insecureHTTPParser http option can be used if necessary for interoperability, but is not recommended.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/</url>
+      <cvename>CVE-2019-15605</cvename>
+      <cvename>CVE-2019-15606</cvename>
+      <cvename>CVE-2019-15604</cvename>
+    </references>
+    <dates>
+      <discovery>2020-02-06</discovery>
+      <entry>2020-03-09</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="be088777-6085-11ea-8609-08002731610e">
     <topic>gitea -- multiple vulnerabilities</topic>
     <affects>
@@ -71,25 +115,25 @@ Notes:
 	<p>The Gitea Team reports for release 1.11.0:</p>
 	<blockquote cite="https://github.com/go-gitea/gitea/releases/tag/v1.11.0">
 	  <ul>
-            <li>Never allow an empty password to validate (#9682) (#9683)</li>
-            <li>Prevent redirect to Host (#9678) (#9679)</li>
-            <li>Swagger hide search field (#9554)</li>
-            <li>Add "search" to reserved usernames (#9063)</li>
-            <li>Switch to fomantic-ui (#9374)</li>
-            <li>Only serve attachments when linked to issue/release and if accessible by user (#9340)</li>
+	    <li>Never allow an empty password to validate (#9682) (#9683)</li>
+	    <li>Prevent redirect to Host (#9678) (#9679)</li>
+	    <li>Swagger hide search field (#9554)</li>
+	    <li>Add "search" to reserved usernames (#9063)</li>
+	    <li>Switch to fomantic-ui (#9374)</li>
+	    <li>Only serve attachments when linked to issue/release and if accessible by user (#9340)</li>
 	  </ul>
 	</blockquote>
 	<p>The Gitea Team reports for release 1.11.2:</p>
 	<blockquote cite="https://github.com/go-gitea/gitea/releases/tag/v1.11.2">
 	  <ul>
-            <li>Ensure only own addresses are updated (#10397) (#10399)</li>
-            <li>Logout POST action (#10582) (#10585)</li>
+	    <li>Ensure only own addresses are updated (#10397) (#10399)</li>
+	    <li>Logout POST action (#10582) (#10585)</li>
 	    <li>Org action fixes and form cleanup (#10512) (#10514)</li>
-            <li>Change action GETs to POST (#10462) (#10464)</li>
-            <li>Fix admin notices (#10480) (#10483)</li>
-            <li>Change admin dashboard to POST (#10465) (#10466)</li>
-            <li>Update markbates/goth (#10444) (#10445)</li>
-            <li>Update crypto vendors (#10385) (#10398)</li>
+	    <li>Change action GETs to POST (#10462) (#10464)</li>
+	    <li>Fix admin notices (#10480) (#10483)</li>
+	    <li>Change admin dashboard to POST (#10465) (#10466)</li>
+	    <li>Update markbates/goth (#10444) (#10445)</li>
+	    <li>Update crypto vendors (#10385) (#10398)</li>
 	  </ul>
 	</blockquote>
       </body>