Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 726836 (CVE-2020-8172, CVE-2020-8174)

Summary: <net-libs/nodejs-14.4.0 : Multiple vulnerabilities (CVE-2020-8172, CVE-2020-8174)
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal Keywords: STABLEREQ
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/nodejs/node/releases/tag/v14.4.0
See Also: https://bugs.gentoo.org/show_bug.cgi?id=726834
https://bugs.gentoo.org/show_bug.cgi?id=728110
Whiteboard: A3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 727670, 742893    
Bug Blocks:    

Description Jeroen Roovers (RETIRED) gentoo-dev 2020-06-02 20:29:28 UTC 
Vulnerabilities fixed:

CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-02 21:12:05 UTC 
Let us know when bumped.
Comment 2 Larry the Git Cow gentoo-dev 2020-06-02 21:30:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e65f5af5552a2226f8a1e50f956aa921c5ecde96

commit e65f5af5552a2226f8a1e50f956aa921c5ecde96
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-06-02 21:29:36 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-06-02 21:30:16 +0000

    net-libs/nodejs: Version 14.4.0
    
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=726836
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest             |   1 +
 net-libs/nodejs/nodejs-14.4.0.ebuild | 200 +++++++++++++++++++++++++++++++++++
 2 files changed, 201 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-07 21:09:10 UTC 
@maintainer(s), are we ready to stabilise now nghttp2 is done?
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-08 21:15:10 UTC 
Let's try it because of the severity but let us know if you are not happy.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-09 13:03:43 UTC 
arm64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-09 13:47:12 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-09 13:48:21 UTC 
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-09 13:54:57 UTC 
x86 stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 00:03:04 UTC 
@ppc, ppc64: ping
Comment 10 NATTkA bot gentoo-dev 2020-08-28 19:53:14 UTC Comment hidden (obsolete)
Comment 11 Larry the Git Cow gentoo-dev 2020-09-04 07:09:43 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eda2daf31ca9729e117cdf8ada5c3ac90fc20780

commit eda2daf31ca9729e117cdf8ada5c3ac90fc20780
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-09-04 07:03:41 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-09-04 07:09:38 +0000

    net-libs/nodejs: Restore some of the 12.x.x branch
    
    Package-Manager: Portage-3.0.5, Repoman-3.0.1
    RepoMan-Options: --force
    Bug: https://bugs.gentoo.org/726836
    Bug: https://bugs.gentoo.org/739340
    Closes: https://bugs.gentoo.org/740218
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest                           |   2 +
 net-libs/nodejs/files/nodejs-99999999-llhttp.patch |  20 ++
 net-libs/nodejs/nodejs-12.16.1.ebuild              | 213 +++++++++++++++++++++
 net-libs/nodejs/nodejs-12.18.3.ebuild              | 213 +++++++++++++++++++++
 4 files changed, 448 insertions(+)
Comment 12 NATTkA bot gentoo-dev 2020-09-30 06:29:01 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2020-11-09 15:09:12 UTC Comment hidden (obsolete)
Comment 14 Marek Szuba archtester gentoo-dev 2020-11-09 15:12:38 UTC 
I have just pushed 14.15.0, which includes a fix for crashes on PPC64. Now to have it stabilised.

Runtime testing: only needed on ppc64 (and ppc?), check if it crashes.
Comment 15 NATTkA bot gentoo-dev 2020-11-09 15:13:14 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2020-11-09 15:17:21 UTC Comment hidden (obsolete)
Comment 17 NATTkA bot gentoo-dev 2020-11-09 15:21:06 UTC Comment hidden (obsolete)
Comment 18 Larry the Git Cow gentoo-dev 2020-11-21 20:26:41 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b094fb3db96fe457eecee465812486cb7880e5a

commit 4b094fb3db96fe457eecee465812486cb7880e5a
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2020-11-21 20:16:13 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-11-21 20:26:27 +0000

    net-libs/nodejs: remove 12.18.4 and 14.2.0
    
    Tickets pertaining to CVE-2020-8201, CVE-2020-8251, CVE-2020-8172,
    CVE-2020-8174 and CVE-2020-15095 should now be safe to close.
    
    Bug: https://bugs.gentoo.org/726836
    Bug: https://bugs.gentoo.org/731654
    Bug: https://bugs.gentoo.org/742893
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/nodejs/Manifest                 |   2 -
 net-libs/nodejs/nodejs-12.18.4-r1.ebuild | 216 -------------------------------
 net-libs/nodejs/nodejs-14.2.0.ebuild     | 201 ----------------------------
 3 files changed, 419 deletions(-)
Comment 19 NATTkA bot gentoo-dev 2021-01-10 16:05:07 UTC 
Unable to check for sanity:

> no match for package: net-libs/nodejs-14.15.0
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2021-01-11 09:16:55 UTC 
This issue was resolved and addressed in
 GLSA 202101-07 at https://security.gentoo.org/glsa/202101-07
by GLSA coordinator Sam James (sam_c).