From nobody Fri Jul  8 12:12:23 2022
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BBA573E0CCD;
	Fri,  8 Jul 2022 12:12:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4LfXGH50snz3RRs;
	Fri,  8 Jul 2022 12:12:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1657282343;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=olMyF8xv4veCUutK7veL2R3aT6RLPNMFd9JixYSCVAs=;
	b=c9VSzVxcipogvb48ZIiLzZJDpCbLCxzlajV/GjM75gr0XDkZqlY0AhWuHjCAhpoBRBPOwP
	4Ho0S3a0qb0GSKrhXYvpIQNc5P2oFqB99xWk2RQNVM0FtxOinKsIAKYsVvFB2DySRc3abT
	h4aIzBWv4GUk0NwuAm3BjZkakUCmCPMK6RqPSupZdHhBoS8Sosl8Q4fo7K0vVjlH22yiek
	dReGJczKtm05ZVcgbVrjYQVsWL3VBU4B2unvXptejiJdQlgFkYuz3iDwdrlG00901npJPQ
	EZ3ViN86jF6hy26e/MBuUfg/5AJxZ2wPHxL9A81Y7Jd4gS+xVqbt0ge6rIgzeg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4LfXGH44l8z1LRM;
	Fri,  8 Jul 2022 12:12:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 268CCNJk017574;
	Fri, 8 Jul 2022 12:12:23 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 268CCN9f017573;
	Fri, 8 Jul 2022 12:12:23 GMT
	(envelope-from git)
Date: Fri, 8 Jul 2022 12:12:23 GMT
Message-Id: <202207081212.268CCN9f017573@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Joseph Mingrone <jrm@FreeBSD.org>
Subject: git: 1d8be46b410a - main - security/vuxml: Document Node.js July 7th 2022 Security Releases
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jrm
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 1d8be46b410ad134e974a779c8d7b983ee4bf57b
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1657282343;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=olMyF8xv4veCUutK7veL2R3aT6RLPNMFd9JixYSCVAs=;
	b=Z7gvNtfO6ZpBxA2DSI3HBv9eHqcrC4SvoE0TxUnKPPtTFYj5sXnq12VIN1poEpRLB0l3cp
	J1phoatM0iNX/ZVFrde6Fn/XhxLnQI0+jHeCYD879jCVNG+e9STDoY/ZpHZwzMbzhaVHxO
	hvLkuidfU4+L31Yh9a3vOKdrIJrq+yLMeudscgmmam9Dr3xh9HWIZU9buDxi1idHWCvupN
	pylbbYk7kvPIXgq/6Il6d8M5Y+czybVVnZHtNQs62h569MY3LWVcoqPP15Fnv2ywi9t4Tl
	Rka9xye9avWktKo9BMo6X63pvOQgutllI4uLUMhttz7RPGt1K+YpDXpFqfF2cQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1657282343; a=rsa-sha256; cv=none;
	b=YW+NVbVaChkSqZnBfHjdoiG72S3LOpTXHIzMWbxNqEsfUk/EdQqIGonyaBIc9Mk/B6bA+/
	Qekmgr/D0hvHZ0OdPe3FnHdHJ6DAtjBRFyd/EmUcciKM8VwT1AVqDtP8LgSrARyctOqJZ5
	x/9HyTsMVQlpc3me3Q8FwfQKyHCnKl419yggX8O9fkYTDlIg0lwI0klKpeXsiKtle2dUXR
	4StAlPi8vNebTXkSKyjbMYyXB5gQDRffExf0I5ccs6RGcFktw/eN06RSuprVvVacveHy1k
	iWxUdxAMsVw7HATL2Gum5NMMdkZvEB3bxX9kSPoi2Onx9qI0ezRyCWN5z4UvSw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by jrm:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1d8be46b410ad134e974a779c8d7b983ee4bf57b

commit 1d8be46b410ad134e974a779c8d7b983ee4bf57b
Author:     Joseph Mingrone <jrm@FreeBSD.org>
AuthorDate: 2022-07-08 12:07:20 +0000
Commit:     Joseph Mingrone <jrm@FreeBSD.org>
CommitDate: 2022-07-08 12:12:18 +0000

    security/vuxml: Document Node.js July 7th 2022 Security Releases
    
    https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
    
    Sponsored by:   The FreeBSD Foundation
---
 security/vuxml/vuln-2022.xml | 79 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index 3a246ae7f48c..8c62c84a81d2 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,82 @@
+  <vuln vid="b9210706-feb0-11ec-81fa-1c697a616631">
+    <topic>Node.js -- July 7th 2022 Security Releases</topic>
+    <affects>
+      <package>
+	<name>node</name>
+	<range><ge>14.0.0</ge><lt>14.20.0</lt></range>
+	<range><ge>16.0.0</ge><lt>16.16.0</lt></range>
+	<range><ge>18.0.0</ge><lt>18.5.0</lt></range>
+      </package>
+      <package>
+	<name>node16</name>
+	<range><lt>16.16.0</lt></range>
+      </package>
+      <package>
+	<name>node14</name>
+	<range><lt>14.20.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Node.js reports:</p>
+	<blockquote cite="https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/">
+	  <h1>HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding
+	  (Medium)(CVE-2022-32213)</h1>
+	  <p>The llhttp parser in the http module does not correctly parse and
+	  validate Transfer-Encoding headers. This can lead to HTTP Request
+	  Smuggling (HRS).</p>
+	  <h1>HTTP Request Smuggling - Improper Delimiting of Header Fields
+	  (Medium)(CVE-2022-32214)</h1>
+	  <p>The llhttp parser in the http module does not strictly use the CRLF
+	  sequence to delimit HTTP requests. This can lead to HTTP Request
+	  Smuggling (HRS).</p>
+	  <h1>HTTP Request Smuggling - Incorrect Parsing of Multi-line
+	  Transfer-Encoding (Medium)(CVE-2022-32215)</h1>
+	  <p>The llhttp parser in the http module does not correctly handle
+	  multi-line Transfer-Encoding headers. This can lead to HTTP Request
+	  Smuggling (HRS).</p>
+	  <h1>DNS rebinding in --inspect via invalid IP addresses
+	  (High)(CVE-2022-32212)</h1>
+	  <p>The IsAllowedHost check can easily be bypassed because IsIPAddress
+	  does not properly check if an IP address is invalid or not. When an
+	  invalid IPv4 address is provided (for instance 10.0.2.555 is
+	  provided), browsers (such as Firefox) will make DNS requests to the
+	  DNS server, providing a vector for an attacker-controlled DNS server
+	  or a MITM who can spoof DNS responses to perform a rebinding attack
+	  and hence connect to the WebSocket debugger, allowing for arbitrary
+	  code execution. This is a bypass of CVE-2021-22884.</p>
+	  <h1>Attempt to read openssl.cnf from /home/iojs/build/ upon startup
+	  (Medium)(CVE-2022-32222)</h1>
+	  <p>When Node.js starts on linux based systems, it attempts to read
+	  /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf,
+	  which ordinarily doesn't exist. On some shared systems an attacker may
+	  be able create this file and therefore affect the default OpenSSL
+	  configuration for other users.</p>
+	  <h1>OpenSSL - AES OCB fails to encrypt some bytes
+	  (Medium)(CVE-2022-2097)</h1>
+	  <p>AES OCB mode for 32-bit x86 platforms using the AES-NI assembly
+	  optimised implementation will not encrypt the entirety of the data
+	  under some circumstances. This could reveal sixteen bytes of data that
+	  was preexisting in the memory that wasn't written. In the special case
+	  of "in place" encryption, sixteen bytes of the plaintext would be
+	  revealed.  Since OpenSSL does not support OCB based cipher suites for
+	  TLS and DTLS, they are both unaffected.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2021-44531</cvename>
+      <cvename>CVE-2021-44532</cvename>
+      <cvename>CVE-2021-44533</cvename>
+      <cvename>CVE-2022-21824</cvename>
+      <url>https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/</url>
+    </references>
+    <dates>
+      <discovery>2022-07-05</discovery>
+      <entry>2022-07-08</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="744ec9d7-fe0f-11ec-bcd2-3065ec8fd3ec">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>