Date: Mon, 27 Aug 2018 11:19:03 +0000 (UTC) From: "Bradley T. Hughes" <bhughes@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r478191 - head/security/vuxml Message-ID: <201808271119.w7RBJ3co025100@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bhughes Date: Mon Aug 27 11:19:02 2018 New Revision: 478191 URL: https://svnweb.freebsd.org/changeset/ports/478191 Log: security/vuxml: document Node.js vulnerabilities https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ Sponsored by: Miles AS Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Aug 27 11:05:13 2018 (r478190) +++ head/security/vuxml/vuln.xml Mon Aug 27 11:19:02 2018 (r478191) @@ -58,6 +58,83 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="0904e81f-a89d-11e8-afbb-bc5ff4f77b71"> + <topic>node.js -- multiple vulnerabilities</topic> + <affects> + <package> + <name>node</name> + <range><lt>10.9.0</lt></range> + </package> + <package> + <name>node8</name> + <range><lt>8.11.4</lt></range> + </package> + <package> + <name>node6</name> + <range><lt>6.14.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Node.js reports:</p> + <blockquote cite="https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/"> + <h1>OpenSSL: Client DoS due to large DH parameter</h1> + <p>This fixes a potential denial of service (DoS) attack + against client connections by a malicious server. During a TLS + communication handshake, where both client and server agree to + use a cipher-suite using DH or DHE (Diffie-Hellman, in both + ephemeral and non-ephemeral modes), a malicious server can + send a very large prime value to the client. Because this has + been unbounded in OpenSSL, the client can be forced to spend + an unreasonably long period of time to generate a key, + potentially causing a denial of service.</p> + <h1>OpenSSL: ECDSA key extraction via local side-channel</h1> + <p>Attackers with access to observe cache-timing may be able + to extract DSA or ECDSA private keys by causing the victim to + create several signatures and watching responses. This flaw + does not have a CVE due to OpenSSL policy to not assign itself + CVEs for local-only vulnerabilities that are more academic + than practical. This vulnerability was discovered by Keegan + Ryan at NCC Group and impacts many cryptographic libraries + including OpenSSL.</p> + <h1>Unintentional exposure of uninitialized memory</h1> + <p>Only Node.js 10 is impacted by this flaw.</p> + <p>Node.js TSC member Nikita Skovoroda discovered an argument + processing flaw that causes Buffer.alloc() to return + uninitialized memory. This method is intended to be safe and + only return initialized, or cleared, memory. The third + argument specifying encoding can be passed as a number, this + is misinterpreted by Buffer's internal "fill" method as the + start to a fill operation. This flaw may be abused where + Buffer.alloc() arguments are derived from user input to return + uncleared memory blocks that may contain sensitive + information.</p> + <h1>Out of bounds (OOB) write</h1> + <p>Node.js TSC member Nikita Skovoroda discovered an OOB write + in Buffer that can be used to write to memory outside of a + Buffer's memory space. This can corrupt unrelated Buffer + objects or cause the Node.js process to crash.</p> + <p>When used with UCS-2 encoding (recognized by Node.js under + the names 'ucs2', 'ucs-2', 'utf16le' and 'utf-16le'), + Buffer#write() can be abused to write outside of the bounds of + a single Buffer. Writes that start from the second-to-last + position of a buffer cause a miscalculation of the maximum + length of the input bytes to be written.</p> + </blockquote> + </body> + </description> + <references> + <url>https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/</url> + <cvename>CVE-2018-0732</cvename> + <cvename>CVE-2018-7166</cvename> + <cvename>CVE-2018-12115</cvename> + </references> + <dates> + <discovery>2018-08-16</discovery> + <entry>2018-08-25</entry> + </dates> + </vuln> + <vuln vid="45671c0e-a652-11e8-805b-a4badb2f4699"> <topic>FreeBSD -- Unauthenticated EAPOL-Key Decryption Vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808271119.w7RBJ3co025100>