Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 595256 (CVE-2016-7099) - <net-libs/nodejs-{4.6.1,0.12.17} - multiple vulnerabilities (CVE-2016-{5325,7099})
Summary: <net-libs/nodejs-{4.6.1,0.12.17} - multiple vulnerabilities (CVE-2016-{5325,7...
Status: RESOLVED FIXED
Alias: CVE-2016-7099
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nodejs.org/en/blog/vulnerabil...
Whiteboard: B3 [glsa cve cleanup]
Keywords:
Depends on:
Blocks: CVE-2016-5325
  Show dependency tree
 
Reported: 2016-09-27 07:30 UTC by Jeroen Roovers (RETIRED)
Modified: 2016-12-18 09:19 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2016-09-27 07:30:04 UTC
Fixed versions:

Node.js v6.7.0 (Current)
Node.js v4.6.0 (LTS "Argon")
Node.js v0.12.16 (Maintenance)
Node.js v0.10.47 (Maintenance)

Due out today.

 * A high-severity flaw relating to the processing of TLS certificates, impacting all versions of Node.js
 * A low-severity native code injection vulnerability on Windows, impacting all versions of Node.js
 * A low-severity HTTP validation error, impacting all versions of Node.js

Also note that the 6.x.x branch will become the LTS branch next month (October 2016).[1]


[1] https://github.com/nodejs/LTS#lts_schedule
Comment 1 Patrick Lauer gentoo-dev 2016-09-29 15:40:32 UTC
Both 4.6.0 and 6.7.0 have been committed to repo/gentoo
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2016-10-25 06:31:36 UTC
Arch teams, please test and mark stable:
=net-libs/nodejs-4.6.1
Targeted stable KEYWORDS : amd64 x86
Comment 3 Agostino Sarubbo gentoo-dev 2016-10-26 10:12:43 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-10-26 10:13:43 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-26 11:05:13 UTC
What is going on with 0.12.x?  Are those going to be cleaned by the maintainer or bumped then cleaned?
Comment 6 Thomas Deutschmann gentoo-dev Security 2016-12-06 02:07:38 UTC
> * A high-severity flaw relating to the processing of TLS certificates,
> impacting all versions of Node.js

CVE-2016-7099


> * A low-severity native code injection vulnerability on Windows,
> impacting all versions of Node.js

No CVE.


> * A low-severity HTTP validation error, impacting all versions of Node.js

CVE-2016-5325 (handled in bug 586084 for >4.x).


Adding:

> * ares_create_query single byte out of buffer write (through embedded c-areas)

This is CVE-2016-5180; Fixed v6.x not yet released (see https://github.com/nodejs/node/commit/23a851dfe61ceb5859779df12c5dfb8da3a7a0c0).


> * arbitrary memory read in v8

This is CVE-2016-5172; v6.x only, included in 6.9.0 (which is already in tree)



@ Maintainer(s): Please bump to >=net-libs/nodejs-0.12.17
Comment 7 Patrick Lauer gentoo-dev 2016-12-06 02:21:15 UTC
0.12 bumped
Comment 8 Thomas Deutschmann gentoo-dev Security 2016-12-06 02:42:48 UTC
@ Arches,

please test and mark stable: =net-libs/nodejs-0.12.17
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-13 11:05:59 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-13 11:31:23 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-12-13 11:57:09 UTC
GLSA Vote: No
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 11:57:41 UTC
CVE-2016-7099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7099):
  The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47,
  0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not
  properly handle wildcards in name fields of X.509 certificates, which allows
  man-in-the-middle attackers to spoof servers via a crafted certificate.
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-12-13 14:20:34 UTC
Added to existing GLSA.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 14:37:19 UTC
This issue was resolved and addressed in
 GLSA 201612-43 at https://security.gentoo.org/glsa/201612-43
by GLSA coordinator Aaron Bauman (b-man).
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-12-13 14:43:29 UTC
@maintainer(s), reopened for cleanup.

4.4.6 is vulnerable as well according to the upstream advisory linked in $URL.  Please be sure to clean that as well.
Comment 16 Patrice Clement gentoo-dev 2016-12-18 08:40:56 UTC
commit 46c05d38950dfe571f292eb33483cad18b732ae7 (HEAD -> master, origin/master, origin/HEAD)
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: Sun Dec 18 09:39:19 2016 +0100
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: Sun Dec 18 09:39:19 2016 +0100

net-libs/nodejs: remove vulnerable version.

Gentoo-Bug: https://bugs.gentoo.org/595256

Package-Manager: portage-2.3.0

net-libs/nodejs/Manifest            |   1 -
net-libs/nodejs/nodejs-4.4.6.ebuild | 143 ------------------------------------
2 files changed, 144 deletions(-)
delete mode 100644 net-libs/nodejs/nodejs-4.4.6.ebuild
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-12-18 09:19:21 UTC
(In reply to Patrice Clement from comment #16)
> commit 46c05d38950dfe571f292eb33483cad18b732ae7 (HEAD -> master,
> origin/master, origin/HEAD)
> Author:     Patrice Clement <monsieurp@gentoo.org>
> AuthorDate: Sun Dec 18 09:39:19 2016 +0100
> Commit:     Patrice Clement <monsieurp@gentoo.org>
> CommitDate: Sun Dec 18 09:39:19 2016 +0100
> 
> net-libs/nodejs: remove vulnerable version.
> 
> Gentoo-Bug: https://bugs.gentoo.org/595256
> 
> Package-Manager: portage-2.3.0
> 
> net-libs/nodejs/Manifest            |   1 -
> net-libs/nodejs/nodejs-4.4.6.ebuild | 143
> ------------------------------------
> 2 files changed, 144 deletions(-)
> delete mode 100644 net-libs/nodejs/nodejs-4.4.6.ebuild

Thanks!