Date: Thu, 13 Jul 2017 10:57:19 +0000 (UTC) From: "Bradley T. Hughes" <bhughes@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r445644 - head/security/vuxml Message-ID: <201707131057.v6DAvJWH021314@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bhughes Date: Thu Jul 13 10:57:18 2017 New Revision: 445644 URL: https://svnweb.freebsd.org/changeset/ports/445644 Log: ecurity/vuxml: add node.js vulnerabilities announced 2017-07-11 The vulnerability in the bundled c-ares dependency is not included, since the Node.js ports use dns/c-ares as a dependency instead. Approved by: mat (co-mentor) MFH: 2017Q3 Security: http://www.vuxml.org/freebsd/3eff66c5-66c9-11e7-aa1d-3d2e663cef42.html Differential Revision: https://reviews.freebsd.org/D11561 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Jul 13 10:52:33 2017 (r445643) +++ head/security/vuxml/vuln.xml Thu Jul 13 10:57:18 2017 (r445644) @@ -58,6 +58,60 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="3eff66c5-66c9-11e7-aa1d-3d2e663cef42"> + <topic>node.js -- multiple vulnerabilities</topic> + <affects> + <package> + <name>node</name> + <range><lt>8.1.4</lt></range> + </package> + <package> + <name>node4</name> + <range><lt>4.8.4</lt></range> + </package> + <package> + <name>node6</name> + <range><lt>6.11.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Updates are now available for all active Node.js release lines as + well as the 7.x line. These include the fix for the high severity + vulnerability identified in the initial announcement, one additional + lower priority Node.js vulnerability in the 4.x release line, as well + as some lower priority fixes for Node.js dependencies across the + current release lines.</p> + <blockquote cite="https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/">; + <h2>Constant Hashtable Seeds (CVE pending)</h2> + <p>Node.js was susceptible to hash flooding remote DoS attacks as the + HashTable seed was constant across a given released version of + Node.js. This was a result of building with V8 snapshots enabled by + default which caused the initially randomized seed to be overwritten + on startup. Thanks to Jann Horn of Google Project Zero for reporting + this vulnerability.</p> + <p>This is a high severity vulnerability and applies to all active + release lines (4.x, 6.x, 8.x) as well as the 7.x line.</p> + <h2>http.get with numeric authorization options creates uninitialized + buffers</h2> + <p>Application code that allows the auth field of the options object + used with http.get() to be set to a number can result in an + uninitialized buffer being created/used as the authentication + string.</p> + <p>This is a low severity defect and only applies to the 4.x release + line.</p> + </blockquote> + </body> + </description> + <references> + <url>https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/</url>; + </references> + <dates> + <discovery>2017-06-27</discovery> + <entry>2017-07-12</entry> + </dates> + </vuln> + <vuln vid="b28adc5b-6693-11e7-ad43-f0def16c5c1b"> <topic>nginx -- a specially crafted request might result in an integer overflow</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201707131057.v6DAvJWH021314>