Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 595256 (CVE-2016-7099)

Summary: <net-libs/nodejs-{4.6.1,0.12.17} - multiple vulnerabilities (CVE-2016-{5325,7099})
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: bugs, patrick, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
Whiteboard: B3 [glsa cve cleanup]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 586084    

Description Jeroen Roovers (RETIRED) gentoo-dev 2016-09-27 07:30:04 UTC 
Fixed versions:

Node.js v6.7.0 (Current)
Node.js v4.6.0 (LTS "Argon")
Node.js v0.12.16 (Maintenance)
Node.js v0.10.47 (Maintenance)

Due out today.

 * A high-severity flaw relating to the processing of TLS certificates, impacting all versions of Node.js
 * A low-severity native code injection vulnerability on Windows, impacting all versions of Node.js
 * A low-severity HTTP validation error, impacting all versions of Node.js

Also note that the 6.x.x branch will become the LTS branch next month (October 2016).[1]


[1] https://github.com/nodejs/LTS#lts_schedule
Comment 1 Patrick Lauer gentoo-dev 2016-09-29 15:40:32 UTC 
Both 4.6.0 and 6.7.0 have been committed to repo/gentoo
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2016-10-25 06:31:36 UTC 
Arch teams, please test and mark stable:
=net-libs/nodejs-4.6.1
Targeted stable KEYWORDS : amd64 x86
Comment 3 Agostino Sarubbo gentoo-dev 2016-10-26 10:12:43 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-10-26 10:13:43 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-10-26 11:05:13 UTC 
What is going on with 0.12.x?  Are those going to be cleaned by the maintainer or bumped then cleaned?
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-06 02:07:38 UTC 
> * A high-severity flaw relating to the processing of TLS certificates,
> impacting all versions of Node.js

CVE-2016-7099


> * A low-severity native code injection vulnerability on Windows,
> impacting all versions of Node.js

No CVE.


> * A low-severity HTTP validation error, impacting all versions of Node.js

CVE-2016-5325 (handled in bug 586084 for >4.x).


Adding:

> * ares_create_query single byte out of buffer write (through embedded c-areas)

This is CVE-2016-5180; Fixed v6.x not yet released (see https://github.com/nodejs/node/commit/23a851dfe61ceb5859779df12c5dfb8da3a7a0c0).


> * arbitrary memory read in v8

This is CVE-2016-5172; v6.x only, included in 6.9.0 (which is already in tree)



@ Maintainer(s): Please bump to >=net-libs/nodejs-0.12.17
Comment 7 Patrick Lauer gentoo-dev 2016-12-06 02:21:15 UTC 
0.12 bumped
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-06 02:42:48 UTC 
@ Arches,

please test and mark stable: =net-libs/nodejs-0.12.17
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-13 11:05:59 UTC 
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-13 11:31:23 UTC 
x86 stable.

Maintainer(s), please cleanup.
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2016-12-13 11:57:09 UTC 
GLSA Vote: No
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 11:57:41 UTC 
CVE-2016-7099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7099):
  The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47,
  0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not
  properly handle wildcards in name fields of X.509 certificates, which allows
  man-in-the-middle attackers to spoof servers via a crafted certificate.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-12-13 14:20:34 UTC 
Added to existing GLSA.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 14:37:19 UTC 
This issue was resolved and addressed in
 GLSA 201612-43 at https://security.gentoo.org/glsa/201612-43
by GLSA coordinator Aaron Bauman (b-man).
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2016-12-13 14:43:29 UTC 
@maintainer(s), reopened for cleanup.

4.4.6 is vulnerable as well according to the upstream advisory linked in $URL.  Please be sure to clean that as well.
Comment 16 Patrice Clement gentoo-dev 2016-12-18 08:40:56 UTC 
commit 46c05d38950dfe571f292eb33483cad18b732ae7 (HEAD -> master, origin/master, origin/HEAD)
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: Sun Dec 18 09:39:19 2016 +0100
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: Sun Dec 18 09:39:19 2016 +0100

net-libs/nodejs: remove vulnerable version.

Gentoo-Bug: https://bugs.gentoo.org/595256

Package-Manager: portage-2.3.0

net-libs/nodejs/Manifest            |   1 -
net-libs/nodejs/nodejs-4.4.6.ebuild | 143 ------------------------------------
2 files changed, 144 deletions(-)
delete mode 100644 net-libs/nodejs/nodejs-4.4.6.ebuild
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2016-12-18 09:19:21 UTC 
(In reply to Patrice Clement from comment #16)
> commit 46c05d38950dfe571f292eb33483cad18b732ae7 (HEAD -> master,
> origin/master, origin/HEAD)
> Author:     Patrice Clement <monsieurp@gentoo.org>
> AuthorDate: Sun Dec 18 09:39:19 2016 +0100
> Commit:     Patrice Clement <monsieurp@gentoo.org>
> CommitDate: Sun Dec 18 09:39:19 2016 +0100
> 
> net-libs/nodejs: remove vulnerable version.
> 
> Gentoo-Bug: https://bugs.gentoo.org/595256
> 
> Package-Manager: portage-2.3.0
> 
> net-libs/nodejs/Manifest            |   1 -
> net-libs/nodejs/nodejs-4.4.6.ebuild | 143
> ------------------------------------
> 2 files changed, 144 deletions(-)
> delete mode 100644 net-libs/nodejs/nodejs-4.4.6.ebuild

Thanks!