Date: Fri, 15 Jun 2018 05:09:51 +0000 (UTC) From: "Bradley T. Hughes" <bhughes@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r472426 - head/security/vuxml Message-ID: <201806150509.w5F59pRM059372@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bhughes Date: Fri Jun 15 05:09:51 2018 New Revision: 472426 URL: https://svnweb.freebsd.org/changeset/ports/472426 Log: security/vuxml: document Node.js vulnerabilities https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/ Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Jun 15 04:50:30 2018 (r472425) +++ head/security/vuxml/vuln.xml Fri Jun 15 05:09:51 2018 (r472426) @@ -58,6 +58,81 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="45b8e2eb-7056-11e8-8fab-63ca6e0e13a2"> + <topic>node.js -- multiple vulnerabilities</topic> + <affects> + <package> + <name>node6</name> + <range><lt>6.14.3</lt></range> + </package> + <package> + <name>node8</name> + <range><lt>8.11.3</lt></range> + </package> + <package> + <name>node</name> + <range><lt>10.4.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Node.js reports:</p> + <blockquote cite="https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/">; + <h1>Denial of Service Vulnerability in HTTP/2 (CVE-2018-7161)</h1> + <p>All versions of 8.x and later are vulnerable and the severity is + HIGH. An attacker can cause a denial of service (DoS) by causing a + node server providing an http2 server to crash. This can be + accomplished by interacting with the http2 server in a manner that + triggers a cleanup bug where objects are used in native code after + they are no longer available. This has been addressed by updating + the http2 implementation. Thanks to Jordan Zebor at F5 Networks for + reporting this issue.</p> + <h1>Denial of Service, nghttp2 dependency (CVE-2018-1000168)</h1> + <p>All versions of 9.x and later are vulnerable and the severity is + HIGH. Under certain conditions, a malicious client can trigger an + uninitialized read (and a subsequent segfault) by sending a + malformed ALTSVC frame. This has been addressed through an by + updating nghttp2.</p> + <h1>Denial of Service Vulnerability in TLS (CVE-2018-7162)</h1> + <p>All versions of 9.x and later are vulnerable and the severity is + HIGH. An attacker can cause a denial of service (DoS) by causing a + node process which provides an http server supporting TLS server to + crash. This can be accomplished by sending duplicate/unexpected + messages during the handshake. This vulnerability has been addressed + by updating the TLS implementation. Thanks to Jordan Zebor at F5 + Networks all of his help investigating this issue with the Node.js + team.</p> + <h1>Memory exhaustion DoS on v9.x (CVE-2018-7164)</h1> + <p>Versions 9.7.0 and later are vulnerable and the severity is MEDIUM. + A bug introduced in 9.7.0 increases the memory consumed when reading + from the network into JavaScript using the net.Socket object + directly as a stream. An attacker could use this cause a denial of + service by sending tiny chunks of data in short succession. This + vulnerability was restored by reverting to the prior behaviour.</p> + <h1>Calls to Buffer.fill() and/or Buffer.alloc() may hang (CVE-2018-7167)</h1> + <p>Calling Buffer.fill() or Buffer.alloc() with some parameters can + lead to a hang which could result in a Denial of Service. In order + to address this vulnerability, the implementations of Buffer.alloc() + and Buffer.fill() were updated so that they zero fill instead of + hanging in these cases.</p> + </blockquote> + </body> + </description> + <references> + <url>https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/</url>; + <url>https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/</url>; + <cvename>CVE-2018-7161</cvename> + <cvename>CVE-2018-7162</cvename> + <cvename>CVE-2018-7164</cvename> + <cvename>CVE-2018-7167</cvename> + <cvename>CVE-2018-1000168</cvename> + </references> + <dates> + <discovery>2018-06-12</discovery> + <entry>2018-06-15</entry> + </dates> + </vuln> + <vuln vid="53eb9e1e-7014-11e8-8b1f-3065ec8fd3ec"> <topic>password-store -- GPG parsing vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201806150509.w5F59pRM059372>