Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 726836 (CVE-2020-8172, CVE-2020-8174) - <net-libs/nodejs-14.4.0 : Multiple vulnerabilities (CVE-2020-8172, CVE-2020-8174)
Summary: <net-libs/nodejs-14.4.0 : Multiple vulnerabilities (CVE-2020-8172, CVE-2020-8...
Status: RESOLVED FIXED
Alias: CVE-2020-8172, CVE-2020-8174
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/nodejs/node/releas...
Whiteboard: A3 [glsa+ cve]
Keywords: STABLEREQ
Depends on: 727670 CVE-2020-8201, CVE-2020-8251
Blocks:
  Show dependency tree
 
Reported: 2020-06-02 20:29 UTC by Jeroen Roovers (RETIRED)
Modified: 2021-01-11 09:16 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2020-06-02 20:29:28 UTC
Vulnerabilities fixed:

CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
Comment 1 Sam James archtester gentoo-dev Security 2020-06-02 21:12:05 UTC
Let us know when bumped.
Comment 2 Larry the Git Cow gentoo-dev 2020-06-02 21:30:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e65f5af5552a2226f8a1e50f956aa921c5ecde96

commit e65f5af5552a2226f8a1e50f956aa921c5ecde96
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-06-02 21:29:36 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-06-02 21:30:16 +0000

    net-libs/nodejs: Version 14.4.0
    
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=726836
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest             |   1 +
 net-libs/nodejs/nodejs-14.4.0.ebuild | 200 +++++++++++++++++++++++++++++++++++
 2 files changed, 201 insertions(+)
Comment 3 Sam James archtester gentoo-dev Security 2020-06-07 21:09:10 UTC
@maintainer(s), are we ready to stabilise now nghttp2 is done?
Comment 4 Sam James archtester gentoo-dev Security 2020-06-08 21:15:10 UTC
Let's try it because of the severity but let us know if you are not happy.
Comment 5 Sam James archtester gentoo-dev Security 2020-06-09 13:03:43 UTC
arm64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-09 13:47:12 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-09 13:48:21 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-09 13:54:57 UTC
x86 stable
Comment 9 Sam James archtester gentoo-dev Security 2020-07-17 00:03:04 UTC
@ppc, ppc64: ping
Comment 10 NATTkA bot gentoo-dev 2020-08-28 19:53:14 UTC Comment hidden (obsolete)
Comment 11 Larry the Git Cow gentoo-dev 2020-09-04 07:09:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eda2daf31ca9729e117cdf8ada5c3ac90fc20780

commit eda2daf31ca9729e117cdf8ada5c3ac90fc20780
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-09-04 07:03:41 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-09-04 07:09:38 +0000

    net-libs/nodejs: Restore some of the 12.x.x branch
    
    Package-Manager: Portage-3.0.5, Repoman-3.0.1
    RepoMan-Options: --force
    Bug: https://bugs.gentoo.org/726836
    Bug: https://bugs.gentoo.org/739340
    Closes: https://bugs.gentoo.org/740218
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest                           |   2 +
 net-libs/nodejs/files/nodejs-99999999-llhttp.patch |  20 ++
 net-libs/nodejs/nodejs-12.16.1.ebuild              | 213 +++++++++++++++++++++
 net-libs/nodejs/nodejs-12.18.3.ebuild              | 213 +++++++++++++++++++++
 4 files changed, 448 insertions(+)
Comment 12 NATTkA bot gentoo-dev 2020-09-30 06:29:01 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2020-11-09 15:09:12 UTC Comment hidden (obsolete)
Comment 14 Marek Szuba gentoo-dev 2020-11-09 15:12:38 UTC
I have just pushed 14.15.0, which includes a fix for crashes on PPC64. Now to have it stabilised.

Runtime testing: only needed on ppc64 (and ppc?), check if it crashes.
Comment 15 NATTkA bot gentoo-dev 2020-11-09 15:13:14 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2020-11-09 15:17:21 UTC Comment hidden (obsolete)
Comment 17 NATTkA bot gentoo-dev 2020-11-09 15:21:06 UTC Comment hidden (obsolete)
Comment 18 Larry the Git Cow gentoo-dev 2020-11-21 20:26:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b094fb3db96fe457eecee465812486cb7880e5a

commit 4b094fb3db96fe457eecee465812486cb7880e5a
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2020-11-21 20:16:13 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-11-21 20:26:27 +0000

    net-libs/nodejs: remove 12.18.4 and 14.2.0
    
    Tickets pertaining to CVE-2020-8201, CVE-2020-8251, CVE-2020-8172,
    CVE-2020-8174 and CVE-2020-15095 should now be safe to close.
    
    Bug: https://bugs.gentoo.org/726836
    Bug: https://bugs.gentoo.org/731654
    Bug: https://bugs.gentoo.org/742893
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/nodejs/Manifest                 |   2 -
 net-libs/nodejs/nodejs-12.18.4-r1.ebuild | 216 -------------------------------
 net-libs/nodejs/nodejs-14.2.0.ebuild     | 201 ----------------------------
 3 files changed, 419 deletions(-)
Comment 19 NATTkA bot gentoo-dev 2021-01-10 16:05:07 UTC
Unable to check for sanity:

> no match for package: net-libs/nodejs-14.15.0
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2021-01-11 09:16:55 UTC
This issue was resolved and addressed in
 GLSA 202101-07 at https://security.gentoo.org/glsa/202101-07
by GLSA coordinator Sam James (sam_c).