<8.14.0: https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V8.md#8.14.0 Node.js: Denial of Service with large HTTP headers (CVE-2018-12121) Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js) Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123) Node.js: HTTP request splitting (CVE-2018-12116) <10.14.0: https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V10.md#10.14.0 Node.js: Denial of Service with large HTTP headers (CVE-2018-12121) Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js) Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123) <11.3.0: https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V11.md#11.3.0 Node.js: Denial of Service with large HTTP headers (CVE-2018-12121) Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js) Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
<6.15.0: https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6.15.0 Node.js: Debugger port 5858 listens on any interface by default (CVE-2018-12120) Node.js: Denial of Service with large HTTP headers (CVE-2018-12121) Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js) Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123) Node.js: HTTP request splitting (CVE-2018-12116)
I am trying to get the ebuilds in but it seems I can't: # git push --signed origin master FATAL -- ACCESS DENIED Repo repo/gentoo User jer@gentoo.org Stage Before git was called Operation Repo write FATAL: W any repo/gentoo jer@gentoo.org DENIED by fallthru (or you mis-spelled the reponame) fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
comrel is irrelevant here, blame infra
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=478037530d3b293185e8bcd1230daaaa7e032d1e commit 478037530d3b293185e8bcd1230daaaa7e032d1e Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2018-11-28 10:43:11 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2018-11-29 22:19:29 +0000 net-libs/nodejs: Old Package-Manager: Portage-2.3.52, Repoman-2.3.12 Bug: https://bugs.gentoo.org/672136 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-libs/nodejs/Manifest | 6 - net-libs/nodejs/nodejs-10.13.0-r1.ebuild | 205 ------------------------------ net-libs/nodejs/nodejs-11.2.0-r1.ebuild | 205 ------------------------------ net-libs/nodejs/nodejs-4.8.7.ebuild | 143 --------------------- net-libs/nodejs/nodejs-6.11.5.ebuild | 193 ---------------------------- net-libs/nodejs/nodejs-8.13.0-r2.ebuild | 207 ------------------------------- net-libs/nodejs/nodejs-9.11.2-r2.ebuild | 202 ------------------------------ 7 files changed, 1161 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8879e4b3957a10551641e9e045397a908b1dd982 commit 8879e4b3957a10551641e9e045397a908b1dd982 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2018-11-28 10:38:49 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2018-11-29 22:19:29 +0000 net-libs/nodejs: Versions 6.15.0 8.14.0 10.14.0 11.3.0 Package-Manager: Portage-2.3.52, Repoman-2.3.12 Bug: https://bugs.gentoo.org/672136 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-libs/nodejs/Manifest | 4 + net-libs/nodejs/nodejs-10.14.0.ebuild | 205 ++++++++++++++++++++++++++++++++ net-libs/nodejs/nodejs-11.3.0.ebuild | 205 ++++++++++++++++++++++++++++++++ net-libs/nodejs/nodejs-6.15.0.ebuild | 200 +++++++++++++++++++++++++++++++ net-libs/nodejs/nodejs-8.14.0.ebuild | 207 +++++++++++++++++++++++++++++++++ net-libs/nodejs/nodejs-99999999.ebuild | 2 +- 6 files changed, 822 insertions(+), 1 deletion(-)
You removed 9.11.2, but 10.* versions require masked openssl-1.1. Please bring 9.* version back.
(In reply to Eugene Shalygin from comment #5) > You removed 9.11.2, but 10.* versions require masked openssl-1.1. Please > bring 9.* version back. The 9 series has seen no updates since June 2018[1] so if I were to bring it back, I would have to mask that too, not because of masked dependencies but because of security vulnerabilities that will never be fixed upstream[2]. [1] https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V9.md#9.11.2 [2] https://github.com/nodejs/Release#end-of-life-releases
CVE-2018-12121 seems to affect the http-parser lib. Nodejs patched the http-parser dependency they bundle directly inside of the nodejs official distribution to limit the max header size to 8k, but since Gentoo's nodejs ebuilds use the system's http-parser lib as opposed to the bundled one, and I don't think a fix was released there yet, this would mean Gentoo's nodejs is still vulnerable to CVE-2018-12121 despite releasing ebuilds for the newer node version. I recommend using the bundled dependency as opposed to the system's http-parser or backporting node's fix as a patch to http-parser or patching http-parser with the contents of https://github.com/nodejs/http-parser/pull/452 . Note that limiting HTTP headers to a max size of 8k is a breaking change. Efforts are underway to make the max configurable and / or modifyable at runtime.
(In reply to Guillaume Ceccarelli from comment #7) > CVE-2018-12121 seems to affect the http-parser lib. That should be in a different bug report, then.
(In reply to Jeroen Roovers from comment #8) > (In reply to Guillaume Ceccarelli from comment #7) > > CVE-2018-12121 seems to affect the http-parser lib. > > That should be in a different bug report, then. There might need to be another issue open in addition to this one, I'll let you and other Gentoo devs be the judge of that, but what I meant is the context of nodejs: Gentoo's nodejs does not benefit from the upstream fix to CVE-2018-12121 as it is, since the fix commit is * https://github.com/nodejs/node/commit/74e01d0020ec255673e17353a1004a8ea375fff4 which essentially creates a fix directly in the bundled http-parser dependency. Since gentoo's nodejs ebuilds do not make use of the bundled dependency, they also can't benefit from the fix. That --shared-http-parser we pass in src_configure explicitly prevents it, hence my Comment #7 .
(In reply to Guillaume Ceccarelli from comment #9) > (In reply to Jeroen Roovers from comment #8) > > (In reply to Guillaume Ceccarelli from comment #7) > > > CVE-2018-12121 seems to affect the http-parser lib. > > > > That should be in a different bug report, then. > > There might need to be another issue open in addition to this one, I'll let > you and other Gentoo devs be the judge of that, but what I meant is the > context of nodejs: Gentoo's nodejs does not benefit from the upstream fix to > CVE-2018-12121 as it is, since the fix commit is > * > https://github.com/nodejs/node/commit/ > 74e01d0020ec255673e17353a1004a8ea375fff4 > which essentially creates a fix directly in the bundled http-parser > dependency. No, it merely sets HTTP_MAX_HEADER_SIZE in the code that compiles against http-parser. The http-parser header says: http_parser.h:#ifndef HTTP_MAX_HEADER_SIZE http_parser.h:# define HTTP_MAX_HEADER_SIZE (80*1024) and the nodejs build system overrides that default by limiting it to 8KB.
(In reply to Jeroen Roovers from comment #10) > (In reply to Guillaume Ceccarelli from comment #9) > > (In reply to Jeroen Roovers from comment #8) > > > (In reply to Guillaume Ceccarelli from comment #7) > > > > CVE-2018-12121 seems to affect the http-parser lib. > > > > > > That should be in a different bug report, then. > > > > There might need to be another issue open in addition to this one, I'll let > > you and other Gentoo devs be the judge of that, but what I meant is the > > context of nodejs: Gentoo's nodejs does not benefit from the upstream fix to > > CVE-2018-12121 as it is, since the fix commit is > > * > > https://github.com/nodejs/node/commit/ > > 74e01d0020ec255673e17353a1004a8ea375fff4 > > which essentially creates a fix directly in the bundled http-parser > > dependency. > > No, it merely sets HTTP_MAX_HEADER_SIZE in the code that compiles against > http-parser. The http-parser header says: > > http_parser.h:#ifndef HTTP_MAX_HEADER_SIZE > http_parser.h:# define HTTP_MAX_HEADER_SIZE (80*1024) > > and the nodejs build system overrides that default by limiting it to 8KB. But you're right: it hasn't trickled down to current net-libs/http-parser. Note that http-parser is mostly developed by nodejs people, much like libuv, and that it apparently takes time and effort for them to send their changes upstream, even if they work upstream as well. Perhaps this is because they like to test things in the nodejs tree better than developing that independently in the upstream trees.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70a1b6bb522216ee1e5cab45df6ca67c44d96179 commit 70a1b6bb522216ee1e5cab45df6ca67c44d96179 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2018-12-06 13:54:23 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2018-12-06 13:56:12 +0000 net-libs/nodejs: Version 6.15.1 "This is a patch release to address a bad backport of the fix for "Slowloris HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers timeout to an entire keep-alive HTTP session, resulting in prematurely disconnected sockets." https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6.15.1 Package-Manager: Portage-2.3.52, Repoman-2.3.12 Bug: https://bugs.gentoo.org/672136 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-libs/nodejs/Manifest | 2 +- net-libs/nodejs/{nodejs-6.15.0.ebuild => nodejs-6.15.1.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-)
Added to an existing GLSA.
This issue was resolved and addressed in GLSA 202003-48 at https://security.gentoo.org/glsa/202003-48 by GLSA coordinator Thomas Deutschmann (whissi).
Superseded by bug 708458.