Summary: | <net-libs/nodejs-{0.6.17,0.7.8} HTTP server information disclosure (CVE-2012-2330) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Johan Bergström <bugs> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | patrick, schamane |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://blog.nodejs.org/2012/05/07/http-server-security-vulnerability-please-upgrade-to-0-6-17/ | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Johan Bergström
2012-05-07 21:08:59 UTC
0.6.17 added, 0.7.8 already there, vulnerable versions punted. *** Bug 415103 has been marked as a duplicate of this bug. *** Package was never stable, closing noglsa. CVE-2012-2330 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2330): The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero length string. |