Date: Fri, 28 Oct 2016 13:33:41 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r424839 - head/security/vuxml Message-ID: <201610281333.u9SDXf00051712@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Fri Oct 28 13:33:41 2016 New Revision: 424839 URL: https://svnweb.freebsd.org/changeset/ports/424839 Log: Document node vulnerabilities PR: 213800 Security: CVE-2016-5172 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Oct 28 13:10:00 2016 (r424838) +++ head/security/vuxml/vuln.xml Fri Oct 28 13:33:41 2016 (r424839) @@ -58,6 +58,93 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="28bb6ee5-9b5c-11e6-b799-19bef72f4b7c"> + <topic>node.js -- ares_create_query single byte out of buffer write</topic> + <affects> + <package> + <name>node010</name> + <range><lt>0.10.48</lt></range> + </package> + <package> + <name>node012</name> + <range><lt>0.12.17</lt></range> + </package> + <package> + <name>node4</name> + <range><lt>4.6.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Node.js has released new verions containing the following security fix:</p> + <blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/">; + <p>The following releases all contain fixes for CVE-2016-5180 "ares_create_query single + byte out of buffer write": Node.js v0.10.48 (Maintenance), Node.js v0.12.17 (Maintenance), + Node.js v4.6.1 (LTS "Argon") + </p> + <p>While this is not a critical update, all users of these release lines should upgrade at + their earliest convenience. + </p> + </blockquote> + </body> + </description> + <references> + <url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url>; + <cvename>CVE-2016-5180</cvename> + <freebsdpr>ports/213800</freebsdpr> + </references> + <dates> + <discovery>2016-10-18</discovery> + <entry>2016-10-26</entry> + </dates> + </vuln> + + <vuln vid="27180c99-9b5c-11e6-b799-19bef72f4b7c"> + <topic>node.js -- multiple vulnerabilities</topic> + <affects> + <package> + <name>node</name> + <range><ge>6.0.0</ge><lt>6.9.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x:</p> + <blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/">; + <p>Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL + configuration file, from the OPENSSL_CONF environment variable or from the default + location for the current platform. Always triggering a configuration file load attempt + may allow an attacker to load compromised OpenSSL configuration into a Node.js process + if they are able to place a file in a default location. + </p> + <p>Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes, + potentially allowing an attacker to obtain sensitive information from arbitrary memory + locations via crafted JavaScript code. This vulnerability would require an attacker to + be able to execute arbitrary JavaScript code in a Node.js process. + </p> + <p>Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of + the inspector. This provides additional security to prevent unauthorized clients from + connecting to the Node.js process via the v8_inspector port when running with --inspect. + Since the debugging protocol allows extensive access to the internals of a running process, + and the execution of arbitrary code, it is important to limit connections to authorized + tools only. Note that the v8_inspector protocol in Node.js is still considered an + experimental feature. Vulnerability originally reported by Jann Horn. + </p> + <p>All of these vulnerabilities are considered low-severity for Node.js users, however, + users of Node.js v6.x should upgrade at their earliest convenience.</p> + </blockquote> + </body> + </description> + <references> + <url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url>; + <cvename>CVE-2016-5172</cvename> + </references> + <dates> + <discovery>2016-10-18</discovery> + <entry>2016-10-28</entry> + </dates> + </vuln> + <vuln vid="c5c6e293-9cc7-11e6-823f-b8aeed92ecc4"> <topic>urllib3 -- certificate verification failure</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201610281333.u9SDXf00051712>