From owner-svn-ports-all@freebsd.org Fri Oct 28 13:33:42 2016 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4A6AC24DC7; Fri, 28 Oct 2016 13:33:42 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7EB57C09; Fri, 28 Oct 2016 13:33:42 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u9SDXfSb051714; Fri, 28 Oct 2016 13:33:41 GMT (envelope-from feld@FreeBSD.org) Received: (from feld@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u9SDXf00051712; Fri, 28 Oct 2016 13:33:41 GMT (envelope-from feld@FreeBSD.org) Message-Id: <201610281333.u9SDXf00051712@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: feld set sender to feld@FreeBSD.org using -f From: Mark Felder Date: Fri, 28 Oct 2016 13:33:41 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r424839 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2016 13:33:42 -0000 Author: feld Date: Fri Oct 28 13:33:41 2016 New Revision: 424839 URL: https://svnweb.freebsd.org/changeset/ports/424839 Log: Document node vulnerabilities PR: 213800 Security: CVE-2016-5172 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Oct 28 13:10:00 2016 (r424838) +++ head/security/vuxml/vuln.xml Fri Oct 28 13:33:41 2016 (r424839) @@ -58,6 +58,93 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + node.js -- ares_create_query single byte out of buffer write + + + node010 + 0.10.48 + + + node012 + 0.12.17 + + + node4 + 4.6.1 + + + + +

Node.js has released new verions containing the following security fix:

+
+

The following releases all contain fixes for CVE-2016-5180 "ares_create_query single + byte out of buffer write": Node.js v0.10.48 (Maintenance), Node.js v0.12.17 (Maintenance), + Node.js v4.6.1 (LTS "Argon") +

+

While this is not a critical update, all users of these release lines should upgrade at + their earliest convenience. +

+
+ +
+ + https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/ + CVE-2016-5180 + ports/213800 + + + 2016-10-18 + 2016-10-26 + +
+ + + node.js -- multiple vulnerabilities + + + node + 6.0.06.9.0 + + + + +

Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x:

+
+

Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL + configuration file, from the OPENSSL_CONF environment variable or from the default + location for the current platform. Always triggering a configuration file load attempt + may allow an attacker to load compromised OpenSSL configuration into a Node.js process + if they are able to place a file in a default location. +

+

Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes, + potentially allowing an attacker to obtain sensitive information from arbitrary memory + locations via crafted JavaScript code. This vulnerability would require an attacker to + be able to execute arbitrary JavaScript code in a Node.js process. +

+

Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of + the inspector. This provides additional security to prevent unauthorized clients from + connecting to the Node.js process via the v8_inspector port when running with --inspect. + Since the debugging protocol allows extensive access to the internals of a running process, + and the execution of arbitrary code, it is important to limit connections to authorized + tools only. Note that the v8_inspector protocol in Node.js is still considered an + experimental feature. Vulnerability originally reported by Jann Horn. +

+

All of these vulnerabilities are considered low-severity for Node.js users, however, + users of Node.js v6.x should upgrade at their earliest convenience.

+
+ +
+ + https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/ + CVE-2016-5172 + + + 2016-10-18 + 2016-10-28 + +
+ urllib3 -- certificate verification failure