Date: Thu, 14 Dec 2017 19:44:02 +0000 (UTC) From: "Bradley T. Hughes" <bhughes@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r456342 - head/security/vuxml Message-ID: <201712141944.vBEJi2Uc046403@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bhughes Date: Thu Dec 14 19:44:02 2017 New Revision: 456342 URL: https://svnweb.freebsd.org/changeset/ports/456342 Log: security/vuxml: document Node.js vulnerabilities, December 2017 Approved by: mat (co-mentor) Differential Revision: https://reviews.freebsd.org/D13489 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Dec 14 19:42:43 2017 (r456341) +++ head/security/vuxml/vuln.xml Thu Dec 14 19:44:02 2017 (r456342) @@ -58,6 +58,51 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="bea84a7a-e0c9-11e7-b4f3-11baa0c2df21"> + <topic>node.js -- Data Confidentiality/Integrity Vulnerability, December 2017</topic> + <affects> + <package> + <name>node4</name> + <range><lt>4.8.7</lt></range> + </package> + <package> + <name>node6</name> + <range><lt>6.12.2</lt></range> + </package> + <package> + <name>node8</name> + <range><lt>8.9.3</lt></range> + </package> + <package> + <name>node</name> + <range><lt>9.2.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Node.js reports:</p> + <blockquote cite="https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/">; + <h1>Data Confidentiality/Integrity Vulnerability - CVE-2017-15896</h1> + <p>Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.</p> + <h1>Uninitialized buffer vulnerability - CVE-2017-15897</h1> + <p>Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.</p> + <h1>Also included in OpenSSL update - CVE 2017-3738</h1> + <p>Note that CVE 2017-3738 of OpenSSL-1.0.2 affected Node but it was low severity.</p> + </blockquote> + </body> + </description> + <references> + <url>https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/</url>; + <cvename>CVE-2017-15896</cvename> + <cvename>CVE-2017-15897</cvename> + <cvename>CVE-2017-3738</cvename> + </references> + <dates> + <discovery>2017-12-08</discovery> + <entry>2017-12-14</entry> + </dates> + </vuln> + <vuln vid="e72a8864-e0bc-11e7-b627-d43d7e971a1b"> <topic>GitLab -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201712141944.vBEJi2Uc046403>