From nobody Fri Mar 1 14:06:53 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TmVJY5P0zz5CRt4; Fri, 1 Mar 2024 14:06:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TmVJY4pLZz43t9; Fri, 1 Mar 2024 14:06:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1709302013; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=DJebTFCKhIoa75NuPzsBOgoGWOjammTms+jRCEje96A=; b=uk7GmVYylUD4KwjVzjY+bjiWgQ2RKSaq+HZOp7HZAJXxAsploz7cpMRcC47ax03NaPtawj X2Wp1+XcCfDKPMv6SjfZAvpkRkxEjBg30PYDUPa9r0g95qR8P77nTkZ1DvJdeHZmj8+MU1 9fpb5fWmbRuFVtzJzVIR41DG1OfFw8ZizoA85K8XR/BXOzxiDOcp03wGpLR/SVTIKPexHJ Ezpw3Q/a4uAjZdN2HW4BHAqXdkQWKiI3Mscr4i1sIBRR7E9fdsyYfB6zZsFUillRam4dyb JnX4wK0Dv0jCBF1DqTvLR0nBRS7nyT7u98zYtl6sDcjN6uxEgKyPH8pfiMLwjg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1709302013; a=rsa-sha256; cv=none; b=CQ+4/zBwYiO2fpvuZ4naeFKbvqZwv+lMcwVlGN159+JUzogc63miZRaA5Mix7GutQY5G33 nCjZJ0+PscDo/WWiXjnEfxAVOz24Pu6vXJLPoOuagr1v5DM5vjscdn4VpPACbNQU5ifPaZ WT4Limr/Q0a2JHxNQ26HZotQukFFsDKxdDYTQXuAWEEIIyebl2kfSGiwH0XG8T7OeYLVi8 UoZJOWrt58xvX3IcGpXWmS1206GYjQLr6y/n3+UVYa6GDyL6Ppu0txmtNMbtFMVMjctaDD W4dFSV3CxrT8JV+YZJmBJnm/mAMLC0CXBN+aZ18fv0EK+Vssiy6ZAMEHJ4B3ug== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1709302013; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=DJebTFCKhIoa75NuPzsBOgoGWOjammTms+jRCEje96A=; b=isE2hlf6xho6AnVoqGjhZRaEVj9g+b7Rar7HAoBWcG0Y64mSm6OEjOA1IBVIvWUOGP9RkA wUW/MjoaS+MmaEdKIfp/mq8LcVg4d1+ELthpBb66J+ywxs14Wkao/k1a9K//ZU02OURwZK E5Avw5K95QX6QfeqfbZSl+1e6BgK7yq6K7aLhwa2zLYu3p/N8DK84r7azpq/5/k2UWgQDo 9xFKnhXCJOELZT6Rp8OU3CgCQiGzY8QsJ/5BW95DqsxZSHEQSQ4VO5FGJr1bHd39mIz3t5 nvu0i5hatYRGTTSu90vkZLDxny0YgnD/GZkb+N+1ETTd8JdYc0mEWvmWYK+adQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TmVJY4JzvzSsH; Fri, 1 Mar 2024 14:06:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 421E6rBp024019; Fri, 1 Mar 2024 14:06:53 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 421E6rMM024016; Fri, 1 Mar 2024 14:06:53 GMT (envelope-from git) Date: Fri, 1 Mar 2024 14:06:53 GMT Message-Id: <202403011406.421E6rMM024016@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthias Fechner Subject: git: 44e2fbfdc3af - main - security/vuxml: document nodejs vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mfechner X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 44e2fbfdc3afbb5371803c8db3b497aadaa724ac Auto-Submitted: auto-generated The branch main has been updated by mfechner: URL: https://cgit.FreeBSD.org/ports/commit/?id=44e2fbfdc3afbb5371803c8db3b497aadaa724ac commit 44e2fbfdc3afbb5371803c8db3b497aadaa724ac Author: Matthias Fechner AuthorDate: 2024-03-01 14:06:22 +0000 Commit: Matthias Fechner CommitDate: 2024-03-01 14:06:44 +0000 security/vuxml: document nodejs vulnerabilities --- security/vuxml/vuln/2024.xml | 92 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 0ffcf444c06b..2f9c0ef11a79 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,95 @@ + + NodeJS -- Vulnerabilities + + + node + 21.0.021.6.2 + 20.0.020.11.1 + 18.0.018.19.1 + 16.0.016.20.3 + + + node16 + 16.0.016.20.3 + + + node18 + 18.0.018.19.1 + + + node20 + 20.0.020.11.1 + + + node21 + 21.0.021.6.2 + + + + +

Node.js reports:

+
+

Code injection and privilege escalation through Linux capabilities- (High)

+

http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)

+

Path traversal by monkey-patching Buffer internals- (High)

+

setuid() does not drop all privileges due to io_uring - (High)

+

Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)

+

Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)

+

Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)

+

Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)

+
+ +
+ + CVE-2024-21892 + CVE-2024-22019 + CVE-2024-21896 + CVE-2024-22017 + CVE-2023-46809 + CVE-2024-21891 + CVE-2024-21890 + CVE-2024-22025 + https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#2024-02-14-version-20111-iron-lts-rafaelgss-prepared-by-marco-ippolito + + + 2024-02-14 + 2024-03-01 + +
+ + + null -- null + + + null + null + + + + +

support@hackerone.com reports:

+
+

On Linux, Node.js ignores certain environment variables if those + may have been set by an unprivileged user while the process is + running with elevated privileges with the only exception of + CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this + exception, Node.js incorrectly applies this exception even when + certain other capabilities have been set. This allows unprivileged + users to inject code that inherits the process's elevated + privileges.

+
+ +
+ + CVE-2024-21892 + https://nvd.nist.gov/vuln/detail/CVE-2024-21892 + + + 2024-02-20 + 2024-03-01 + +
+ electron{27,28} -- Use after free in Mojo