Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 651882 (CVE-2018-7158, CVE-2018-7159, CVE-2018-7160) - <net-libs/nodejs-{4.9.0,6.14.0,8.11.0} - multiple vulnerabilities
Summary: <net-libs/nodejs-{4.9.0,6.14.0,8.11.0} - multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-7158, CVE-2018-7159, CVE-2018-7160
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/nodejs/node/blob/m...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on: 641130
Blocks:
  Show dependency tree
 
Reported: 2018-03-29 05:59 UTC by Jeroen Roovers (RETIRED)
Modified: 2018-05-20 20:57 UTC (History)
2 users (show)

See Also:
Package list:
=net-libs/nodejs-4.9.0 =net-libs/nodejs-6.14.0 =net-libs/nodejs-8.11.0 =net-libs/http-parser-2.8.1 =dev-libs/libuv-1.20.0
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2018-03-29 05:59:49 UTC
Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser Host value of localhost or localhost6.

Fix for 'path' module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.


Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces inside Content-Length header values. Such values now lead to rejected connections in the same way as non-numeric values.
Comment 1 Pacho Ramos gentoo-dev 2018-04-14 10:32:34 UTC
*** Bug 643510 has been marked as a duplicate of this bug. ***
Comment 2 Michael Boyle 2018-04-24 02:13:59 UTC
Hello!
@maintainers, is there a status for his bug?

Michael Boyle
Gentoo Security Padawan
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2018-04-24 05:42:19 UTC
(In reply to Michael Boyle from comment #2)
> @maintainers, is there a status for his bug?

Yes, apparently it's "CONFIRMED".
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-04-24 07:25:37 UTC
(In reply to Jeroen Roovers from comment #3)
> (In reply to Michael Boyle from comment #2)
> > @maintainers, is there a status for his bug?
> 
> Yes, apparently it's "CONFIRMED".

silly jokes are not welcome, if you can't help yourself making them, please find better place than bugzilla
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2018-04-24 19:04:40 UTC
(In reply to Mikle Kolyada from comment #4)
> (In reply to Jeroen Roovers from comment #3)
> > (In reply to Michael Boyle from comment #2)
> > > @maintainers, is there a status for his bug?
> > 
> > Yes, apparently it's "CONFIRMED".
> 
> silly jokes are not welcome, if you can't help yourself making them, please
> find better place than bugzilla

They're not?
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2018-05-20 20:57:20 UTC
GLSA Vote: No