Date: Fri, 1 Mar 2024 14:06:53 GMT From: Matthias Fechner <mfechner@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 44e2fbfdc3af - main - security/vuxml: document nodejs vulnerabilities Message-ID: <202403011406.421E6rMM024016@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by mfechner: URL: https://cgit.FreeBSD.org/ports/commit/?id=44e2fbfdc3afbb5371803c8db3b497aadaa724ac commit 44e2fbfdc3afbb5371803c8db3b497aadaa724ac Author: Matthias Fechner <mfechner@FreeBSD.org> AuthorDate: 2024-03-01 14:06:22 +0000 Commit: Matthias Fechner <mfechner@FreeBSD.org> CommitDate: 2024-03-01 14:06:44 +0000 security/vuxml: document nodejs vulnerabilities --- security/vuxml/vuln/2024.xml | 92 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 0ffcf444c06b..2f9c0ef11a79 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,95 @@ + <vuln vid="77a6f1c9-d7d2-11ee-bb12-001b217b3468"> + <topic>NodeJS -- Vulnerabilities</topic> + <affects> + <package> + <name>node</name> + <range><ge>21.0.0</ge><lt>21.6.2</lt></range> + <range><ge>20.0.0</ge><lt>20.11.1</lt></range> + <range><ge>18.0.0</ge><lt>18.19.1</lt></range> + <range><ge>16.0.0</ge><lt>16.20.3</lt></range> + </package> + <package> + <name>node16</name> + <range><ge>16.0.0</ge><lt>16.20.3</lt></range> + </package> + <package> + <name>node18</name> + <range><ge>18.0.0</ge><lt>18.19.1</lt></range> + </package> + <package> + <name>node20</name> + <range><ge>20.0.0</ge><lt>20.11.1</lt></range> + </package> + <package> + <name>node21</name> + <range><ge>21.0.0</ge><lt>21.6.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Node.js reports:</p> + <blockquote cite="https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#2024-02-14-version-20111-iron-lts-rafaelgss-prepared-by-marco-ippolito">; + <p>Code injection and privilege escalation through Linux capabilities- (High)</p> + <p>http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)</p> + <p>Path traversal by monkey-patching Buffer internals- (High)</p> + <p>setuid() does not drop all privileges due to io_uring - (High)</p> + <p>Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)</p> + <p>Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)</p> + <p>Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)</p> + <p>Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-21892</cvename> + <cvename>CVE-2024-22019</cvename> + <cvename>CVE-2024-21896</cvename> + <cvename>CVE-2024-22017</cvename> + <cvename>CVE-2023-46809</cvename> + <cvename>CVE-2024-21891</cvename> + <cvename>CVE-2024-21890</cvename> + <cvename>CVE-2024-22025</cvename> + <url>https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#2024-02-14-version-20111-iron-lts-rafaelgss-prepared-by-marco-ippolito</url>; + </references> + <dates> + <discovery>2024-02-14</discovery> + <entry>2024-03-01</entry> + </dates> + </vuln> + + <vuln vid="46a9eb0f-d7d2-11ee-bb12-001b217b3468"> + <topic>null -- null</topic> + <affects> + <package> + <name>null</name> + <range><lt>null</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>support@hackerone.com reports:</p> + <blockquote cite="https://hackerone.com/reports/2237545">; + <p>On Linux, Node.js ignores certain environment variables if those + may have been set by an unprivileged user while the process is + running with elevated privileges with the only exception of + CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this + exception, Node.js incorrectly applies this exception even when + certain other capabilities have been set. This allows unprivileged + users to inject code that inherits the process's elevated + privileges.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-21892</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2024-21892</url>; + </references> + <dates> + <discovery>2024-02-20</discovery> + <entry>2024-03-01</entry> + </dates> + </vuln> + <vuln vid="3567456a-6b17-41f7-ba7f-5cd3efb2b7c9"> <topic>electron{27,28} -- Use after free in Mojo</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202403011406.421E6rMM024016>