CVE-2015-5380 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5380): The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence.
For net-libs/iojs version in tree please advise if the current version in tree (non-stable) has the appropriate fixes For net-libs/nodejs version 0.12.7 in tree. Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
These versions are considered safe (regarding v8 utf8 - openssl not relevant since we build against a shared version): net-libs/nodejs-0.12.6 and later (in tree) net-libs/iojs-2.3.3 and later (in tree) I'm happy to stablereq. @patrick?
Stablereq sounds good to me
Arches, please test and mark stable: =net-libs/nodejs-0.12.6 =net-libs/iojs-2.3.3 Target keywords : "amd64 x86"
I realized that they requires some unstable deps like: >=dev-libs/libuv-1.6.1 >=dev-libs/openssl-1.0.2c >=net-libs/http-parser-2.5
Let's sort a bit, we make a bit of confusion. net-libs/iojs was never marked stable so maintainers can ask the stablereq in another bug different from this. net-libs/nodejs-0.12.6 + dev-libs/libuv-1.4.2 is fine for repoman, so we have just one "Depends on" stablereq.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA vote: no
Maintainer(s), Thank you for you for cleanup. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s).
Maintainers thank you for cleaning up: net-libs/iojs Please clean up: <net-libs/nodejs-0.12.6
commit af8a27d (HEAD, master) Author: Patrice Clement <monsieurp@gentoo.org> Date: Fri Sep 11 19:46:44 2015 +0000 net-libs/nodejs: Remove vulnerable versions. Fixes bug 554742. Package-Manager: portage-2.2.18 Signed-off-by: Patrice Clement <monsieurp@gentoo.org> delete mode 100644 net-libs/nodejs/nodejs-0.10.30.ebuild delete mode 100644 net-libs/nodejs/nodejs-0.10.38.ebuild delete mode 100644 net-libs/nodejs/nodejs-0.8.28.ebuild
According to the initial report of the vulnerability, this DOES NOT affect node.js 0.10.x at all. Quote from bottom of email: "This vulnerability does not affect the 0.10.x series shipped in Fedora, EPEL, and all Red Hat products that I am aware of. This is just a courtesy notice in case you all are using 0.12 or io.js anywhere." See: https://bugzilla.redhat.com/show_bug.cgi?id=1239332 It would make sense to add node-0.10.40 to the tree.
I'd vote for having 0.10.40, 0.12.7 and 4.0.0 then purge the rest.
