From nobody Fri Jul 8 12:12:23 2022 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BBA573E0CCD; Fri, 8 Jul 2022 12:12:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LfXGH50snz3RRs; Fri, 8 Jul 2022 12:12:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1657282343; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=olMyF8xv4veCUutK7veL2R3aT6RLPNMFd9JixYSCVAs=; b=c9VSzVxcipogvb48ZIiLzZJDpCbLCxzlajV/GjM75gr0XDkZqlY0AhWuHjCAhpoBRBPOwP 4Ho0S3a0qb0GSKrhXYvpIQNc5P2oFqB99xWk2RQNVM0FtxOinKsIAKYsVvFB2DySRc3abT h4aIzBWv4GUk0NwuAm3BjZkakUCmCPMK6RqPSupZdHhBoS8Sosl8Q4fo7K0vVjlH22yiek dReGJczKtm05ZVcgbVrjYQVsWL3VBU4B2unvXptejiJdQlgFkYuz3iDwdrlG00901npJPQ EZ3ViN86jF6hy26e/MBuUfg/5AJxZ2wPHxL9A81Y7Jd4gS+xVqbt0ge6rIgzeg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4LfXGH44l8z1LRM; Fri, 8 Jul 2022 12:12:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 268CCNJk017574; Fri, 8 Jul 2022 12:12:23 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 268CCN9f017573; Fri, 8 Jul 2022 12:12:23 GMT (envelope-from git) Date: Fri, 8 Jul 2022 12:12:23 GMT Message-Id: <202207081212.268CCN9f017573@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Joseph Mingrone Subject: git: 1d8be46b410a - main - security/vuxml: Document Node.js July 7th 2022 Security Releases List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jrm X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1d8be46b410ad134e974a779c8d7b983ee4bf57b Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1657282343; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=olMyF8xv4veCUutK7veL2R3aT6RLPNMFd9JixYSCVAs=; b=Z7gvNtfO6ZpBxA2DSI3HBv9eHqcrC4SvoE0TxUnKPPtTFYj5sXnq12VIN1poEpRLB0l3cp J1phoatM0iNX/ZVFrde6Fn/XhxLnQI0+jHeCYD879jCVNG+e9STDoY/ZpHZwzMbzhaVHxO hvLkuidfU4+L31Yh9a3vOKdrIJrq+yLMeudscgmmam9Dr3xh9HWIZU9buDxi1idHWCvupN pylbbYk7kvPIXgq/6Il6d8M5Y+czybVVnZHtNQs62h569MY3LWVcoqPP15Fnv2ywi9t4Tl Rka9xye9avWktKo9BMo6X63pvOQgutllI4uLUMhttz7RPGt1K+YpDXpFqfF2cQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1657282343; a=rsa-sha256; cv=none; b=YW+NVbVaChkSqZnBfHjdoiG72S3LOpTXHIzMWbxNqEsfUk/EdQqIGonyaBIc9Mk/B6bA+/ Qekmgr/D0hvHZ0OdPe3FnHdHJ6DAtjBRFyd/EmUcciKM8VwT1AVqDtP8LgSrARyctOqJZ5 x/9HyTsMVQlpc3me3Q8FwfQKyHCnKl419yggX8O9fkYTDlIg0lwI0klKpeXsiKtle2dUXR 4StAlPi8vNebTXkSKyjbMYyXB5gQDRffExf0I5ccs6RGcFktw/eN06RSuprVvVacveHy1k iWxUdxAMsVw7HATL2Gum5NMMdkZvEB3bxX9kSPoi2Onx9qI0ezRyCWN5z4UvSw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by jrm: URL: https://cgit.FreeBSD.org/ports/commit/?id=1d8be46b410ad134e974a779c8d7b983ee4bf57b commit 1d8be46b410ad134e974a779c8d7b983ee4bf57b Author: Joseph Mingrone AuthorDate: 2022-07-08 12:07:20 +0000 Commit: Joseph Mingrone CommitDate: 2022-07-08 12:12:18 +0000 security/vuxml: Document Node.js July 7th 2022 Security Releases https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ Sponsored by: The FreeBSD Foundation --- security/vuxml/vuln-2022.xml | 79 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index 3a246ae7f48c..8c62c84a81d2 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,82 @@ + + Node.js -- July 7th 2022 Security Releases + + + node + 14.0.014.20.0 + 16.0.016.16.0 + 18.0.018.5.0 + + + node16 + 16.16.0 + + + node14 + 14.20.0 + + + + +

Node.js reports:

+
+

HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding + (Medium)(CVE-2022-32213)

+

The llhttp parser in the http module does not correctly parse and + validate Transfer-Encoding headers. This can lead to HTTP Request + Smuggling (HRS).

+

HTTP Request Smuggling - Improper Delimiting of Header Fields + (Medium)(CVE-2022-32214)

+

The llhttp parser in the http module does not strictly use the CRLF + sequence to delimit HTTP requests. This can lead to HTTP Request + Smuggling (HRS).

+

HTTP Request Smuggling - Incorrect Parsing of Multi-line + Transfer-Encoding (Medium)(CVE-2022-32215)

+

The llhttp parser in the http module does not correctly handle + multi-line Transfer-Encoding headers. This can lead to HTTP Request + Smuggling (HRS).

+

DNS rebinding in --inspect via invalid IP addresses + (High)(CVE-2022-32212)

+

The IsAllowedHost check can easily be bypassed because IsIPAddress + does not properly check if an IP address is invalid or not. When an + invalid IPv4 address is provided (for instance 10.0.2.555 is + provided), browsers (such as Firefox) will make DNS requests to the + DNS server, providing a vector for an attacker-controlled DNS server + or a MITM who can spoof DNS responses to perform a rebinding attack + and hence connect to the WebSocket debugger, allowing for arbitrary + code execution. This is a bypass of CVE-2021-22884.

+

Attempt to read openssl.cnf from /home/iojs/build/ upon startup + (Medium)(CVE-2022-32222)

+

When Node.js starts on linux based systems, it attempts to read + /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, + which ordinarily doesn't exist. On some shared systems an attacker may + be able create this file and therefore affect the default OpenSSL + configuration for other users.

+

OpenSSL - AES OCB fails to encrypt some bytes + (Medium)(CVE-2022-2097)

+

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly + optimised implementation will not encrypt the entirety of the data + under some circumstances. This could reveal sixteen bytes of data that + was preexisting in the memory that wasn't written. In the special case + of "in place" encryption, sixteen bytes of the plaintext would be + revealed. Since OpenSSL does not support OCB based cipher suites for + TLS and DTLS, they are both unaffected.

+
+ + + + CVE-2021-44531 + CVE-2021-44532 + CVE-2021-44533 + CVE-2022-21824 + https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ + + + 2022-07-05 + 2022-07-08 + + + chromium -- multiple vulnerabilities