Mageia 2019-0277: nodejs security update

This update provides nodejs v6.17.1 fixing atleast the following security issues: The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be...

Summary

This update provides nodejs v6.17.1 fixing atleast the following security issues:
The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer (CVE-2017-1000381)
Fix for 'path' module regular expression denial of service (CVE-2018-7158)
Reject spaces in HTTP Content-Length header values (CVE-2018-7159)
Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)
buffer: Fixes Denial of Service vulnerability where calling Buffer.fill() could hang (CVE-2018-7167)
buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115)
Node.js: HTTP request splitting (CVE-2018-12116)
Node.js: Debugger port 5858 listens on any interface by default (CVE-2018-12120)
Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122)
Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
No...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=21330

- https://nodejs.org/en/blog/release/v6.11.0/

- https://nodejs.org/en/blog/release/v6.11.1/

- https://nodejs.org/en/blog/release/v6.11.2/

- https://nodejs.org/en/blog/release/v6.11.3/

- https://nodejs.org/en/blog/release/v6.11.4/

- https://nodejs.org/en/blog/release/v6.12.0/

- https://nodejs.org/en/blog/release/v6.12.1/

- https://nodejs.org/en/blog/release/v6.12.2/

- https://nodejs.org/en/blog/release/v6.12.3/

- https://nodejs.org/en/blog/release/v6.13.0/

- https://nodejs.org/en/blog/release/v6.13.1/

- https://nodejs.org/en/blog/release/v6.14.0/

- https://nodejs.org/en/blog/release/v6.14.1/

- https://nodejs.org/en/blog/release/v6.14.2/

- https://nodejs.org/en/blog/release/v6.14.3/

- https://nodejs.org/en/blog/release/v6.15.0/

- https://nodejs.org/en/blog/release/v6.15.1/

- https://nodejs.org/en/blog/release/v6.16.0/

- https://nodejs.org/en/blog/release/v6.17.0/

- https://nodejs.org/en/blog/release/v6.17.1/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7158

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7159

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7160

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7167

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12115

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12120

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12121

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12122

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12123

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5737

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5739

Resolution

MGASA-2019-0277 - Updated nodejs packages fix security vulnerabilities

SRPMS

- 6/core/nodejs-6.17.1-8.mga6

- 6/core/http-parser-2.9.2-1.mga6

- 6/core/libuv-1.16.1-1.mga6

Severity

Publication date: 15 Sep 2019

URL: https://advisories.mageia.org/MGASA-2019-0277.html

Type: security

CVE: CVE-2017-1000381, CVE-2018-7158, CVE-2018-7159, CVE-2018-7160, CVE-2018-7167, CVE-2018-12115, CVE-2018-12116, CVE-2018-12120, CVE-2018-12121, CVE-2018-12122, CVE-2018-12123, CVE-2019-5737, CVE-2019-5739

Mageia 2019-0277: nodejs security update

Summary

References

Resolution

SRPMS

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By