Summary: | <net-libs/nodejs-0.12.6, <net-libs/iojs-2.3.3: Unspecified vulnerability (CVE-2015-5380) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bugs, patrick, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | C3 [noglsa/cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 555182 | ||
Bug Blocks: |
Description
GLSAMaker/CVETool Bot
2015-07-13 12:48:13 UTC
For net-libs/iojs version in tree please advise if the current version in tree (non-stable) has the appropriate fixes For net-libs/nodejs version 0.12.7 in tree. Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself. These versions are considered safe (regarding v8 utf8 - openssl not relevant since we build against a shared version): net-libs/nodejs-0.12.6 and later (in tree) net-libs/iojs-2.3.3 and later (in tree) I'm happy to stablereq. @patrick? Stablereq sounds good to me Arches, please test and mark stable: =net-libs/nodejs-0.12.6 =net-libs/iojs-2.3.3 Target keywords : "amd64 x86" I realized that they requires some unstable deps like:
>=dev-libs/libuv-1.6.1
>=dev-libs/openssl-1.0.2c
>=net-libs/http-parser-2.5
Let's sort a bit, we make a bit of confusion. net-libs/iojs was never marked stable so maintainers can ask the stablereq in another bug different from this. net-libs/nodejs-0.12.6 + dev-libs/libuv-1.4.2 is fine for repoman, so we have just one "Depends on" stablereq. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. GLSA vote: no Maintainer(s), Thank you for you for cleanup. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). Maintainers thank you for cleaning up: net-libs/iojs Please clean up: <net-libs/nodejs-0.12.6 commit af8a27d (HEAD, master) Author: Patrice Clement <monsieurp@gentoo.org> Date: Fri Sep 11 19:46:44 2015 +0000 net-libs/nodejs: Remove vulnerable versions. Fixes bug 554742. Package-Manager: portage-2.2.18 Signed-off-by: Patrice Clement <monsieurp@gentoo.org> delete mode 100644 net-libs/nodejs/nodejs-0.10.30.ebuild delete mode 100644 net-libs/nodejs/nodejs-0.10.38.ebuild delete mode 100644 net-libs/nodejs/nodejs-0.8.28.ebuild According to the initial report of the vulnerability, this DOES NOT affect node.js 0.10.x at all. Quote from bottom of email: "This vulnerability does not affect the 0.10.x series shipped in Fedora, EPEL, and all Red Hat products that I am aware of. This is just a courtesy notice in case you all are using 0.12 or io.js anywhere." See: https://bugzilla.redhat.com/show_bug.cgi?id=1239332 It would make sense to add node-0.10.40 to the tree. I'd vote for having 0.10.40, 0.12.7 and 4.0.0 then purge the rest. |