| Summary: | <net-libs/nodejs-{6.14.4,8.12.0}: out-of-bounds (OOB) write (CVE-2018-12115) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Mike Gilbert <floppym> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | jer, patrick, polynomial-c |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ | ||
| Whiteboard: | B2 [glsa+ cve] | ||
| Package list: |
=net-libs/nodejs-6.14.4
=net-libs/nodejs-8.12.0
=net-libs/http-parser-2.8.1
|
Runtime testing required: | --- |
| Bug Depends on: | 708458 | ||
| Bug Blocks: | |||
|
Description
Mike Gilbert
2018-09-10 19:52:21 UTC
Let go ahead and stabilize 6.14.4 and 8.11.4. An automated check of this bug failed - repoman reported dependency errors (626 lines truncated):
> dependency.bad net-libs/nodejs/nodejs-6.14.4.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=net-libs/http-parser-2.7.0:=']
> dependency.bad net-libs/nodejs/nodejs-6.14.4.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=net-libs/http-parser-2.7.0:=']
> dependency.bad net-libs/nodejs/nodejs-6.14.4.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.7.0:=']
> dependency.bad net-libs/nodejs/nodejs-6.14.4.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=net-libs/http-parser-2.7.0:=']
> dependency.bad net-libs/nodejs/nodejs-6.14.4.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=net-libs/http-parser-2.7.0:=']
> dependency.bad net-libs/nodejs/nodejs-6.14.4.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.7.0:=']
An automated check of this bug failed - repoman reported dependency errors (254 lines truncated):
> dependency.bad net-libs/nodejs/nodejs-8.12.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/nghttp2-1.32.0']
> dependency.bad net-libs/nodejs/nodejs-8.12.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/nghttp2-1.32.0']
> dependency.bad net-libs/nodejs/nodejs-8.12.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=net-libs/nghttp2-1.32.0']
> dependency.bad net-libs/nodejs/nodejs-8.12.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/nghttp2-1.32.0']
> dependency.bad net-libs/nodejs/nodejs-8.12.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/nghttp2-1.32.0']
> dependency.bad net-libs/nodejs/nodejs-8.12.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=net-libs/nghttp2-1.32.0']
x86 stable amd64 stable ppc/ppc64 stable. I dropped keywords on older versions of nodejs including version 6 since it fails tests and doesn't seem to be required for anything. arm stable Tree is clean. Added to an existing GLSA Request. This issue was resolved and addressed in GLSA 202003-48 at https://security.gentoo.org/glsa/202003-48 by GLSA coordinator Thomas Deutschmann (whissi). Superseded by bug 708458. |
