From ${URL} : 2015.03.11, Version 0.10.37 (Maintenance) This release comes with a fix for CVE-2015-0278, which was a vulnerability in libuv < 0.10.34 caused by insufficient priviledges dropping. More info about this type of issues can be found in the CERT secure coding guide. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This only applies to our nodejs 0.10.x series since newer (and iojs) uses shared a libuv. Another bug should probably be filed against net-libs/libuv since we have vulnerable versions in tree (although, we DEPEND against newer versions). Renaming nodejs 0.10.36 to 0.10.37 worked for me.
We have 0.12.6 in the tree as stable now, is it affected?
Please advise if Bug #568900 fixed this vulnerability.
Version affected (0.10.x) not in tree anymore. Earlier version 0.12.6. New GLSA Request filed.
No longer applies to net-libs/nodejs and dev-libs/libuv has not shipped the vulnerable versions in question (git history). CVE has been changed upstream accordingly as well. "libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified vectors."
