Date: Wed, 16 Sep 2020 20:47:51 +0000 (UTC) From: "Bradley T. Hughes" <bhughes@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r548798 - head/security/vuxml Message-ID: <202009162047.08GKlpU2002229@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bhughes Date: Wed Sep 16 20:47:51 2020 New Revision: 548798 URL: https://svnweb.freebsd.org/changeset/ports/548798 Log: security/vuxml: document Node.js September 2020 Security Releases https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/ Sponsored by: Miles AS Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Sep 16 20:05:00 2020 (r548797) +++ head/security/vuxml/vuln.xml Wed Sep 16 20:47:51 2020 (r548798) @@ -58,6 +58,62 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="4ca5894c-f7f1-11ea-8ff8-0022489ad614"> + <topic>Node.js -- September 2020 Security Releases</topic> + <affects> + <package> + <name>node</name> + <range><lt>14.11.0</lt></range> + </package> + <package> + <name>node12</name> + <range><lt>12.18.4</lt></range> + </package> + <package> + <name>node10</name> + <range><lt>10.22.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Node.js reports:</p> + <blockquote cite="https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/">; + <p>Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues.</p> + <h1>HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201)</h1> + <p>Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.</p> + <p>Impacts:</p> + <ul> + <li>All versions of the 14.x and 12.x releases line</li> + </ul> + <h1>Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251)</h1> + <p>Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout with a default value of 0 which means it is disabled by default. This should be set when Node.js is used as an edge server, for more details refer to the documentation.</p> + <p>Impacts:</p> + <ul> + <li>All versions of the 14.x release line</li> + </ul> + <h1>fs.realpath.native on may cause buffer overflow (Medium) (CVE-2020-8252)</h1> + <p>libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.</p> + <p>Impacts:</p> + <ul> + <li>All versions of the 10.x release line</li> + <li>All versions of the 12.x release line</li> + <li>All versions of the 14.x release line before 14.9.0</li> + </ul> + </blockquote> + </body> + </description> + <references> + <url>https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/</url>; + <cvename>CVE-2020-8201</cvename> + <cvename>CVE-2020-8251</cvename> + <cvename>CVE-2020-8252</cvename> + </references> + <dates> + <discovery>2020-09-08</discovery> + <entry>2020-09-16</entry> + </dates> + </vuln> + <vuln vid="6d334fdb-f7e7-11ea-88f8-901b0ef719ab"> <topic>FreeBSD -- ftpd privilege escalation via ftpchroot feature</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009162047.08GKlpU2002229>