Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658074 (CVE-2018-7161, CVE-2018-7162, CVE-2018-7164, CVE-2018-7167) - <net-libs/nodejs-{6.14.4,8.12.0}: multiple vulnerabilities (CVE-2018-{7161,7162,7164,7167})
Summary: <net-libs/nodejs-{6.14.4,8.12.0}: multiple vulnerabilities (CVE-2018-{7161,71...
Status: IN_PROGRESS
Alias: CVE-2018-7161, CVE-2018-7162, CVE-2018-7164, CVE-2018-7167
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nodejs.org/en/blog/vulnerabil...
Whiteboard: B2 [stable blocked]
Keywords:
Depends on: CVE-2018-12115
Blocks:
  Show dependency tree
 
Reported: 2018-06-13 22:24 UTC by Florian Schuhmacher
Modified: 2019-04-01 16:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-06-13 22:24:27 UTC
A flaw was found in Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x. Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service.


Gentoo Security Scout
Florian Schuhmacher
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2018-09-15 14:10:48 UTC
CVE-2018-7167 (https://nvd.nist.gov/vuln/detail/CVE-2018-7167):
  Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a
  hang which could result in a Denial of Service. In order to address this
  vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were
  updated so that they zero fill instead of hanging in these cases. All
  versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are
  vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.

CVE-2018-7164 (https://nvd.nist.gov/vuln/detail/CVE-2018-7164):
  Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is
  MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading
  from the network into JavaScript using the net.Socket object directly as a
  stream. An attacker could use this cause a denial of service by sending tiny
  chunks of data in short succession. This vulnerability was restored by
  reverting to the prior behaviour.

CVE-2018-7162 (https://nvd.nist.gov/vuln/detail/CVE-2018-7162):
  All versions of Node.js 9.x and 10.x are vulnerable and the severity is
  HIGH. An attacker can cause a denial of service (DoS) by causing a node
  process which provides an http server supporting TLS server to crash. This
  can be accomplished by sending duplicate/unexpected messages during the
  handshake. This vulnerability has been addressed by updating the TLS
  implementation.

CVE-2018-7161 (https://nvd.nist.gov/vuln/detail/CVE-2018-7161):
  All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity
  is HIGH. An attacker can cause a denial of service (DoS) by causing a node
  server providing an http2 server to crash. This can be accomplished by
  interacting with the http2 server in a manner that triggers a cleanup bug
  where objects are used in native code after they are no longer available.
  This has been addressed by updating the http2 implementation.
Comment 2 Thomas Stein 2018-12-17 07:51:28 UTC
Hi Devs.

There are already even more security releases available.

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/