Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 568900 (CVE-2015-8027) - <net-libs/nodejs-{0.12.9,4.2.3,5.1.1}: Denial of Service Vulnerability (CVE-2015-8027)
Summary: <net-libs/nodejs-{0.12.9,4.2.3,5.1.1}: Denial of Service Vulnerability (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2015-8027
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://nodejs.org/en/blog/vulnerabil...
Whiteboard: B3 [glsa cve]
Keywords:
: 568898 578586 (view as bug list)
Depends on: 580634
Blocks: 554330 578586
  Show dependency tree
 
Reported: 2015-12-20 19:04 UTC by OzTiram
Modified: 2016-12-13 14:37 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description OzTiram 2015-12-20 19:04:40 UTC
I reported this in the wrong place, sorry.

https://bugs.gentoo.org/show_bug.cgi?id=568898
Comment 1 Brian Evans (RETIRED) gentoo-dev 2015-12-20 19:08:49 UTC
*** Bug 568898 has been marked as a duplicate of this bug. ***
Comment 2 Brian Evans (RETIRED) gentoo-dev 2015-12-20 19:14:51 UTC
CVE-2015-8027 Denial of Service Vulnerability

This critical denial of service (DoS) vulnerability impacts all versions of v0.12.x through to v5.x, inclusive. The vulnerability was discovered by Node.js core team member Fedor Indutny and relates to HTTP pipelining. Under certain conditions an HTTP socket may no longer have a parser associated with it but a pipelined request can trigger a pause or resume on the non-existent parser thereby causing an uncaughtException to be thrown. As these conditions can be created by an external attacker and cause a Node.js service to be shut down we consider this a critical vulnerability. It is recommended that users of impacted versions of Node.js exposing HTTP services upgrade to the appropriate patched versions as soon as practical.

    Versions 0.10.x of Node.js are not affected.
    Versions 0.12.x of Node.js are vulnerable, please upgrade to v0.12.9 (LTS).
    Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
    Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 06:16:29 UTC
Just a follow up as this bug has been around since December of 2015. To get rid of this vulnerability we need to:

Upgrade to v0.12.9+, v4.2.3+, and v5.1.1+

Please advise.
Comment 4 Johan Bergström 2016-02-25 06:18:13 UTC
I'll take care of this. All ebuilds needs some changes but I'll keep it at a minimum to avoid issues with security bumping.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2016-04-23 06:17:56 UTC
There are non vulnerable versions in the tree but not stable. Are we ready to go stable on 0.12.10 ??
Comment 6 Pacho Ramos gentoo-dev 2016-05-09 10:35:02 UTC
ping? :/
Comment 7 Johan Bergström 2016-05-09 12:05:23 UTC
I would like to move stable to 4.x, seeing how upstream does the same. Is that unfeasible? Otherwise, latest 0.12 would be good for me.

Seeing how I'm the proxy maint I feel responsible for lagging a bit; I'm currently moving my vm's from Australia to Germany which will finish end of this week. After that's done my plan is to bring all branches up to date (0.12, 4.x, 5.x and now the 6.x). My suggestion is to sunset 0.12, suggest 4.x as LTS and make sure that we keep 6.x up to date forward seeing how it will be the new LTS come q3.
Comment 8 Pacho Ramos gentoo-dev 2016-05-17 15:15:41 UTC
4.4.1 is a good candidate then?
Comment 9 Pacho Ramos gentoo-dev 2016-05-23 09:07:51 UTC
net-libs/nodejs-4.4.1 amd64 x86
net-libs/http-parser-2.6.2 amd64 ppc x86
Comment 10 Agostino Sarubbo gentoo-dev 2016-05-25 09:49:29 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-05-25 11:26:06 UTC
x86 stable
Comment 12 Pacho Ramos gentoo-dev 2016-05-30 15:03:21 UTC
*** Bug 578586 has been marked as a duplicate of this bug. ***
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-07-04 12:04:07 UTC
(In reply to Yury German from comment #5)
> There are non vulnerable versions in the tree but not stable. Are we ready
> to go stable on 0.12.10 ??

You tracking this?
Comment 14 Agostino Sarubbo gentoo-dev 2016-07-08 08:18:09 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2016-09-07 03:38:11 UTC
No GLSA

Maintainer(s), please drop the vulnerable version(s).
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2016-09-07 07:00:18 UTC
Since we have to file an earlier bug as GLSA, going to add this one to the list.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2016-09-09 22:26:33 UTC
(In reply to Aaron Bauman from comment #13)
> Are we ready to go stable on 0.12.10 ??
> 
> You tracking this?

Maintainers,  We still have 0.12.X in tree that has not been patched. We need to mask it as part of cleanup.
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2016-11-20 06:02:15 UTC
Please clean the vulnerable versions.
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2016-11-27 11:04:14 UTC
0.12.6 is the last version that needs cleaned, but is the only stable for 0.12.x versions.

@maintainer, do you want to stabilize this?
Comment 20 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-12 20:12:40 UTC
Cleanup happened via bug 574418.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 14:37:00 UTC
This issue was resolved and addressed in
 GLSA 201612-43 at https://security.gentoo.org/glsa/201612-43
by GLSA coordinator Aaron Bauman (b-man).