Fixed versions: Node.js v6.7.0 (Current) Node.js v4.6.0 (LTS "Argon") Node.js v0.12.16 (Maintenance) Node.js v0.10.47 (Maintenance) Due out today. * A high-severity flaw relating to the processing of TLS certificates, impacting all versions of Node.js * A low-severity native code injection vulnerability on Windows, impacting all versions of Node.js * A low-severity HTTP validation error, impacting all versions of Node.js Also note that the 6.x.x branch will become the LTS branch next month (October 2016).[1] [1] https://github.com/nodejs/LTS#lts_schedule
Both 4.6.0 and 6.7.0 have been committed to repo/gentoo
Arch teams, please test and mark stable: =net-libs/nodejs-4.6.1 Targeted stable KEYWORDS : amd64 x86
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
What is going on with 0.12.x? Are those going to be cleaned by the maintainer or bumped then cleaned?
> * A high-severity flaw relating to the processing of TLS certificates, > impacting all versions of Node.js CVE-2016-7099 > * A low-severity native code injection vulnerability on Windows, > impacting all versions of Node.js No CVE. > * A low-severity HTTP validation error, impacting all versions of Node.js CVE-2016-5325 (handled in bug 586084 for >4.x). Adding: > * ares_create_query single byte out of buffer write (through embedded c-areas) This is CVE-2016-5180; Fixed v6.x not yet released (see https://github.com/nodejs/node/commit/23a851dfe61ceb5859779df12c5dfb8da3a7a0c0). > * arbitrary memory read in v8 This is CVE-2016-5172; v6.x only, included in 6.9.0 (which is already in tree) @ Maintainer(s): Please bump to >=net-libs/nodejs-0.12.17
0.12 bumped
@ Arches, please test and mark stable: =net-libs/nodejs-0.12.17
x86 stable. Maintainer(s), please cleanup.
GLSA Vote: No
CVE-2016-7099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7099): The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201612-43 at https://security.gentoo.org/glsa/201612-43 by GLSA coordinator Aaron Bauman (b-man).
@maintainer(s), reopened for cleanup. 4.4.6 is vulnerable as well according to the upstream advisory linked in $URL. Please be sure to clean that as well.
commit 46c05d38950dfe571f292eb33483cad18b732ae7 (HEAD -> master, origin/master, origin/HEAD) Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: Sun Dec 18 09:39:19 2016 +0100 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Sun Dec 18 09:39:19 2016 +0100 net-libs/nodejs: remove vulnerable version. Gentoo-Bug: https://bugs.gentoo.org/595256 Package-Manager: portage-2.3.0 net-libs/nodejs/Manifest | 1 - net-libs/nodejs/nodejs-4.4.6.ebuild | 143 ------------------------------------ 2 files changed, 144 deletions(-) delete mode 100644 net-libs/nodejs/nodejs-4.4.6.ebuild
(In reply to Patrice Clement from comment #16) > commit 46c05d38950dfe571f292eb33483cad18b732ae7 (HEAD -> master, > origin/master, origin/HEAD) > Author: Patrice Clement <monsieurp@gentoo.org> > AuthorDate: Sun Dec 18 09:39:19 2016 +0100 > Commit: Patrice Clement <monsieurp@gentoo.org> > CommitDate: Sun Dec 18 09:39:19 2016 +0100 > > net-libs/nodejs: remove vulnerable version. > > Gentoo-Bug: https://bugs.gentoo.org/595256 > > Package-Manager: portage-2.3.0 > > net-libs/nodejs/Manifest | 1 - > net-libs/nodejs/nodejs-4.4.6.ebuild | 143 > ------------------------------------ > 2 files changed, 144 deletions(-) > delete mode 100644 net-libs/nodejs/nodejs-4.4.6.ebuild Thanks!
