Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 708458 (CVE-2019-15604, CVE-2019-15605, CVE-2019-15606) - <net-libs/nodejs-{10.19.0,12.15.0}: multiple vulnerabilities (CVE-2019-{15604-15605-15606})
Summary: <net-libs/nodejs-{10.19.0,12.15.0}: multiple vulnerabilities (CVE-2019-{15604...
Status: IN_PROGRESS
Alias: CVE-2019-15604, CVE-2019-15605, CVE-2019-15606
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [stable glsa+ cve]
Keywords: STABLEREQ
Depends on: 713678 713676
Blocks: CVE-2018-7161, CVE-2018-7162, CVE-2018-7164, CVE-2018-7167 CVE-2018-12115 672136 CVE-2019-5737, CVE-2019-5739 CVE-2019-16777
  Show dependency tree
 
Reported: 2020-02-06 10:01 UTC by Jeroen Roovers
Modified: 2020-03-25 08:23 UTC (History)
2 users (show)

See Also:
Package list:
=net-libs/nodejs-10.19.0 =net-libs/nodejs-12.16.1 =net-libs/http-parser-2.9.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers gentoo-dev 2020-02-06 10:01:53 UTC
CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Comment 1 Larry the Git Cow gentoo-dev 2020-02-06 10:03:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96189439cfa4dfd23cbfafb931588a2f9100832a

commit 96189439cfa4dfd23cbfafb931588a2f9100832a
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-02-06 10:03:24 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-02-06 10:03:54 +0000

    net-libs/nodejs: Versions 10.19.0 12.15.0 13.8.0
    
    Package-Manager: Portage-2.3.87, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/708458
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest              |   3 +
 net-libs/nodejs/nodejs-10.19.0.ebuild | 200 ++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-12.15.0.ebuild | 208 ++++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-13.8.0.ebuild  | 204 +++++++++++++++++++++++++++++++++
 4 files changed, 615 insertions(+)
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-03-20 19:01:13 UTC
Added to an existing GLSA.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-03-20 19:22:25 UTC
This issue was resolved and addressed in
 GLSA 202003-48 at https://security.gentoo.org/glsa/202003-48
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 4 Thomas Deutschmann gentoo-dev Security 2020-03-20 19:26:03 UTC
Re-opening for remaining architectures.
Comment 5 Thomas Deutschmann gentoo-dev Security 2020-03-20 20:17:47 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-22 10:36:34 UTC
amd64 stable
Comment 7 Mart Raudsepp gentoo-dev 2020-03-22 11:59:01 UTC
arm64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-25 08:13:12 UTC
arm stable
Comment 9 Larry the Git Cow gentoo-dev 2020-03-25 08:23:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e81582668312b6d3c8baf700d0e0133cb4f40d6

commit 0e81582668312b6d3c8baf700d0e0133cb4f40d6
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-03-25 08:22:38 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-03-25 08:22:58 +0000

    net-libs/nodejs: Old
    
    Package-Manager: Portage-2.3.95, Repoman-2.3.21
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=708458
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest              |   5 -
 net-libs/nodejs/nodejs-10.18.0.ebuild | 200 --------------------------------
 net-libs/nodejs/nodejs-12.14.0.ebuild | 208 ---------------------------------
 net-libs/nodejs/nodejs-12.16.0.ebuild | 208 ---------------------------------
 net-libs/nodejs/nodejs-13.8.0.ebuild  | 204 ---------------------------------
 net-libs/nodejs/nodejs-13.9.0.ebuild  | 209 ----------------------------------
 6 files changed, 1034 deletions(-)