Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 708458 (CVE-2019-15604, CVE-2019-15605, CVE-2019-15606)

Summary: <net-libs/nodejs-{10.19.0,12.15.0}: multiple vulnerabilities (CVE-2019-{15604-15605-15606})
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ppc64, ppc
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=716822
Whiteboard: B3 [glsa+ cve]
Package list:
=net-libs/nodejs-10.19.0 =net-libs/nodejs-12.16.1 =net-libs/http-parser-2.9.3
Runtime testing required: ---
Bug Depends on: 713676, 713678    
Bug Blocks: 658074, 665656, 672136, 679132, 702988    

Description Jeroen Roovers (RETIRED) gentoo-dev 2020-02-06 10:01:53 UTC
CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Comment 1 Larry the Git Cow gentoo-dev 2020-02-06 10:03:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96189439cfa4dfd23cbfafb931588a2f9100832a

commit 96189439cfa4dfd23cbfafb931588a2f9100832a
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-02-06 10:03:24 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-02-06 10:03:54 +0000

    net-libs/nodejs: Versions 10.19.0 12.15.0 13.8.0
    
    Package-Manager: Portage-2.3.87, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/708458
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest              |   3 +
 net-libs/nodejs/nodejs-10.19.0.ebuild | 200 ++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-12.15.0.ebuild | 208 ++++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-13.8.0.ebuild  | 204 +++++++++++++++++++++++++++++++++
 4 files changed, 615 insertions(+)
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-20 19:01:13 UTC
Added to an existing GLSA.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-03-20 19:22:25 UTC
This issue was resolved and addressed in
 GLSA 202003-48 at https://security.gentoo.org/glsa/202003-48
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-20 19:26:03 UTC
Re-opening for remaining architectures.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-20 20:17:47 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-22 10:36:34 UTC
amd64 stable
Comment 7 Mart Raudsepp gentoo-dev 2020-03-22 11:59:01 UTC
arm64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-25 08:13:12 UTC
arm stable
Comment 9 Larry the Git Cow gentoo-dev 2020-03-25 08:23:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e81582668312b6d3c8baf700d0e0133cb4f40d6

commit 0e81582668312b6d3c8baf700d0e0133cb4f40d6
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-03-25 08:22:38 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-03-25 08:22:58 +0000

    net-libs/nodejs: Old
    
    Package-Manager: Portage-2.3.95, Repoman-2.3.21
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=708458
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest              |   5 -
 net-libs/nodejs/nodejs-10.18.0.ebuild | 200 --------------------------------
 net-libs/nodejs/nodejs-12.14.0.ebuild | 208 ---------------------------------
 net-libs/nodejs/nodejs-12.16.0.ebuild | 208 ---------------------------------
 net-libs/nodejs/nodejs-13.8.0.ebuild  | 204 ---------------------------------
 net-libs/nodejs/nodejs-13.9.0.ebuild  | 209 ----------------------------------
 6 files changed, 1034 deletions(-)