| Summary: | nodejs new security issue CVE-2015-0278 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | joequant, mageia, oe, shlomif, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/635283/ | ||
| Whiteboard: | has_procedure advisory MGA4-32-OK MGA4-64-OK | ||
| Source RPM: | nodejs-0.10.33-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-03-02 23:04:32 CET
David Walser
2015-03-02 23:04:44 CET
Whiteboard:
(none) =>
MGA5TOO, MGA4TOO Joseph, you promised to keep nodejs patched for security issues, please confirm that you are still willing to do so or I'm going to drop it for good :) CC:
(none) =>
mageia Will fix Fixed in cauldron. Will update MGA4 It's not fixed in Cauldron. Nothing was committed in SVN. The libuv versioning confused me. This CVE was fixed in libuv 0.10.36, which is bundled in nodejs as of nodejs 0.10.37. nodejs-0.10.38-1.mga5 uploaded for Cauldron fixes this. Thanks Joseph! Version:
Cauldron =>
4 Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated nodejs package fixes security vulnerability: It was found that libuv does not call setgoups before calling setuid/setgid. This may potentially allow an attacker to gain elevated privileges (CVE-2015-0278). The libuv library is bundled with nodejs, and a fixed version of libuv is included with nodejs as of version 0.10.37. The nodejs package has been updated to version 0.10.38 to fix this issue, as well as several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0278 http://blog.nodejs.org/2014/12/17/node-v0-10-34-stable/ http://blog.nodejs.org/2014/12/23/node-v0-10-35-stable/ http://blog.nodejs.org/2015/01/26/node-v0-10-36-stable/ http://blog.nodejs.org/2015/03/14/node-v0-10-37-stable/ http://blog.nodejs.org/2015/03/23/node-v0-10-38-maintenance/ https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150526.html ======================== Updated packages in core/updates_testing: ======================== nodejs-0.10.38-1.mga4 from nodejs-0.10.38-1.mga4.src.rpm CC:
(none) =>
joequant There's a test procedure here: https://bugs.mageia.org/show_bug.cgi?id=11981#c5 CC:
(none) =>
shlomif Test procedure runs fine on a MGA4-x86-64 VBox VM. Adding MGA4-64-OK. Whiteboard:
has_procedure =>
MGA4-64-OK has_procedure Test procedure works fine on a 32-bit i586 VBox VM too. Adding "MGA4-32-OK". Whiteboard:
MGA4-64-OK has_procedure =>
MGA4-64-OK has_procedure MGA4-32-OK Thanks Shlomi Validating. Advisory uploaded. Please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0186.html Status:
NEW =>
RESOLVED FYI. I tried with libuv-1.4.2 but nodejs-0.10.38 did not like it. CC:
(none) =>
oe I don't know anything about libuv, but v8 is another library that's bundled with nodejs, and I know that it isn't designed to be used as a system library. I wouldn't be surprised if libuv was the same way. |