Bug 708458 (CVE-2019-15604, CVE-2019-15605, CVE-2019-15606)

Summary:	<net-libs/nodejs-{10.19.0,12.15.0}: multiple vulnerabilities (CVE-2019-{15604-15605-15606})
Product:	Gentoo Security	Reporter:	Jeroen Roovers (RETIRED) <jer>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	ppc64, ppc
Priority:	Normal	Keywords:	STABLEREQ
Version:	unspecified	Flags:	stable-bot: sanity-check+
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=716822
Whiteboard:	B3 [glsa+ cve]
Package list:	=net-libs/nodejs-10.19.0 =net-libs/nodejs-12.16.1 =net-libs/http-parser-2.9.3	Runtime testing required:	---
Bug Depends on:	713676, 713678
Bug Blocks:	658074, 665656, 672136, 679132, 702988

Description Jeroen Roovers (RETIRED) gentoo-dev

2020-02-06 10:01:53 UTC

CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.

Comment 1 Larry the Git Cow gentoo-dev

2020-02-06 10:03:58 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96189439cfa4dfd23cbfafb931588a2f9100832a

commit 96189439cfa4dfd23cbfafb931588a2f9100832a
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-02-06 10:03:24 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-02-06 10:03:54 +0000

    net-libs/nodejs: Versions 10.19.0 12.15.0 13.8.0
    
    Package-Manager: Portage-2.3.87, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/708458
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest              |   3 +
 net-libs/nodejs/nodejs-10.19.0.ebuild | 200 ++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-12.15.0.ebuild | 208 ++++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-13.8.0.ebuild  | 204 +++++++++++++++++++++++++++++++++
 4 files changed, 615 insertions(+)

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-20 19:01:13 UTC

Added to an existing GLSA.

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2020-03-20 19:22:25 UTC

This issue was resolved and addressed in
 GLSA 202003-48 at https://security.gentoo.org/glsa/202003-48
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-20 19:26:03 UTC

Re-opening for remaining architectures.

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-20 20:17:47 UTC

x86 stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-03-22 10:36:34 UTC

amd64 stable

Comment 7 Mart Raudsepp gentoo-dev

2020-03-22 11:59:01 UTC

arm64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-03-25 08:13:12 UTC

arm stable

Comment 9 Larry the Git Cow gentoo-dev

2020-03-25 08:23:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e81582668312b6d3c8baf700d0e0133cb4f40d6

commit 0e81582668312b6d3c8baf700d0e0133cb4f40d6
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-03-25 08:22:38 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-03-25 08:22:58 +0000

    net-libs/nodejs: Old
    
    Package-Manager: Portage-2.3.95, Repoman-2.3.21
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=708458
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest              |   5 -
 net-libs/nodejs/nodejs-10.18.0.ebuild | 200 --------------------------------
 net-libs/nodejs/nodejs-12.14.0.ebuild | 208 ---------------------------------
 net-libs/nodejs/nodejs-12.16.0.ebuild | 208 ---------------------------------
 net-libs/nodejs/nodejs-13.8.0.ebuild  | 204 ---------------------------------
 net-libs/nodejs/nodejs-13.9.0.ebuild  | 209 ----------------------------------
 6 files changed, 1034 deletions(-)