From owner-svn-ports-head@freebsd.org Tue Mar 9 06:26:49 2021 Return-Path: Delivered-To: svn-ports-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 37C3D56BA8A; Tue, 9 Mar 2021 06:26:49 +0000 (UTC) (envelope-from bhughes@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dvlbs16qhz4tKD; Tue, 9 Mar 2021 06:26:49 +0000 (UTC) (envelope-from bhughes@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1538617784; Tue, 9 Mar 2021 06:26:49 +0000 (UTC) (envelope-from bhughes@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 1296Qmed033229; Tue, 9 Mar 2021 06:26:48 GMT (envelope-from bhughes@FreeBSD.org) Received: (from bhughes@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 1296Qmjb033228; Tue, 9 Mar 2021 06:26:48 GMT (envelope-from bhughes@FreeBSD.org) Message-Id: <202103090626.1296Qmjb033228@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bhughes set sender to bhughes@FreeBSD.org using -f From: "Bradley T. Hughes" Date: Tue, 9 Mar 2021 06:26:48 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r567892 - head/security/vuxml X-SVN-Group: ports-head X-SVN-Commit-Author: bhughes X-SVN-Commit-Paths: head/security/vuxml X-SVN-Commit-Revision: 567892 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2021 06:26:49 -0000 Author: bhughes Date: Tue Mar 9 06:26:48 2021 New Revision: 567892 URL: https://svnweb.freebsd.org/changeset/ports/567892 Log: security/vuxml: document Node.js February 2021 Security Releases https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/ Sponsored by: Miles AS Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Mar 9 06:07:50 2021 (r567891) +++ head/security/vuxml/vuln.xml Tue Mar 9 06:26:48 2021 (r567892) @@ -78,6 +78,51 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + Node.js -- February 2021 Security Releases + + + node10 + 10.24.0 + + + node12 + 12.21.0 + + + node14 + 14.16.0 + + + node + 15.10.0 + + + + +

Node.js reports:

+
+

HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (Critical) (CVE-2021-22883)

+

Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

+

DNS rebinding in --inspect (CVE-2021-22884)

+

Affected Node.js versions are vulnerable to a DNS rebinding attack when the whitelist includes "localhost6". When "localhost6" is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the "localhost6" domain. As long as the attacker uses the "localhost6" domain, they can still apply the attack described in CVE-2018-7160.

+

OpenSSL - Integer overflow in CipherUpdate (CVE-2021-23840)

+

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt

+
+ + + + https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/ + CVE-2021-22883 + CVE-2021-22884 + CVE-2021-23840 + + + 2021-02-23 + 2021-03-09 + + + Gitlab -- Multiple vulnerabilities