From owner-svn-ports-all@freebsd.org  Sun Mar  3 00:03:12 2019
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 642E31517A54;
 Sun,  3 Mar 2019 00:03:12 +0000 (UTC)
 (envelope-from bhughes@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 04C858B2DC;
 Sun,  3 Mar 2019 00:03:12 +0000 (UTC)
 (envelope-from bhughes@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EDF56C521;
 Sun,  3 Mar 2019 00:03:11 +0000 (UTC)
 (envelope-from bhughes@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x2303Bos017497;
 Sun, 3 Mar 2019 00:03:11 GMT (envelope-from bhughes@FreeBSD.org)
Received: (from bhughes@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x2303BNP017496;
 Sun, 3 Mar 2019 00:03:11 GMT (envelope-from bhughes@FreeBSD.org)
Message-Id: <201903030003.x2303BNP017496@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: bhughes set sender to
 bhughes@FreeBSD.org using -f
From: "Bradley T. Hughes" <bhughes@FreeBSD.org>
Date: Sun, 3 Mar 2019 00:03:11 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r494469 - head/security/vuxml
X-SVN-Group: ports-head
X-SVN-Commit-Author: bhughes
X-SVN-Commit-Paths: head/security/vuxml
X-SVN-Commit-Revision: 494469
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 04C858B2DC
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-2.98 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_HAM_MEDIUM(-1.00)[-0.999,0];
 NEURAL_HAM_SHORT(-0.98)[-0.980,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Mar 2019 00:03:12 -0000

Author: bhughes
Date: Sun Mar  3 00:03:11 2019
New Revision: 494469
URL: https://svnweb.freebsd.org/changeset/ports/494469

Log:
  security/vuxml: document Node.js February 2019 Security Releases
  
  https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
  
  Sponsored by:	Miles AS

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sun Mar  3 00:00:26 2019	(r494468)
+++ head/security/vuxml/vuln.xml	Sun Mar  3 00:03:11 2019	(r494469)
@@ -58,6 +58,52 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="b71d7193-3c54-11e9-a3f9-00155d006b02">
+    <topic>Node.js -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>node</name>
+	<range><lt>11.10.1</lt></range>
+      </package>
+      <package>
+	<name>node10</name>
+	<range><lt>10.15.2</lt></range>
+      </package>
+      <package>
+	<name>node8</name>
+	<range><lt>8.15.1</lt></range>
+      </package>
+      <package>
+	<name>node6</name>
+	<range><lt>6.17.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Node.js reports:</p>
+	<blockquote cite="https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/">
+	  <p>Updates are now available for all active Node.js release lines. In addition to fixes for security flaws in Node.js, they also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2r which contains a fix for a moderate severity security vulnerability.</p>
+	  <p>For these releases, we have decided to withhold the fix for the Misinterpretation of Input (CWE-115) flaw mentioned in the original announcement. This flaw is very low severity and we are not satisfied that we had a complete and stable fix ready for release. We will be seeking to address this flaw via alternate mechanisms in the near future. In addition, we have introduced an additional CVE for a change in Node.js 6 that we have decided to classify as a Denial of Service (CWE-400) flaw.</p>
+	  <p>We recommend that all Node.js users upgrade to a version listed below as soon as possible.</p>
+	  <h1>OpenSSL: 0-byte record padding oracle (CVE-2019-1559)</h1>
+	  <p>OpenSSL 1.0.2r contains a fix for CVE-2019-1559 and is included in the releases for Node.js versions 6 and 8 only. Node.js 10 and 11 are not impacted by this vulnerability as they use newer versions of OpenSSL which do not contain the flaw.</p>
+	  <p>Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data.</p>
+	  <p>Only TLS connections using certain ciphersuites executing under certain conditions are exploitable. We are currently unable to determine whether the use of OpenSSL in Node.js exposes this vulnerability. We are taking a cautionary approach and recommend the same for users. For more information, see the advisory and a detailed write-up by the reporters of the vulnerability.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/</url>
+      <cvename>CVE-2019-5737</cvename>
+      <cvename>CVE-2019-5739</cvename>
+      <cvename>CVE-2019-1559</cvename>
+    </references>
+    <dates>
+      <discovery>2019-02-28</discovery>
+      <entry>2019-03-03</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="395ed9d5-3cca-11e9-9ba0-4c72b94353b5">
     <topic>mybb -- vulnerabilities</topic>
     <affects>