Bug 18481

Summary: nodejs new security issue fixed in bundled npm (also CVE-2016-1669)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: has_procedure advisory MGA5-32-OK
Source RPM: nodejs-0.10.42-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-05-18 03:57:00 CEST 
Node.js has issued an advisory on March 31:
https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/

The issue is fixed in nodejs 0.44:
https://nodejs.org/en/blog/release/v0.10.44/

The npm version string was fixed in nodejs 0.45:
https://nodejs.org/en/blog/release/v0.10.45/

There were also other bugs fixed since our last update, in nodejs 0.43:
https://nodejs.org/en/blog/release/v0.10.43/

The openssl issues do not affect us.
Comment 1 David Walser 2016-06-14 14:32:34 CEST 
Note that a 0.10.46 release with an additional security fix will be coming later this week:
https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/
Comment 2 Joseph Wang 2016-06-15 04:45:21 CEST 
Re-assigning to neoclust.  Feel free to reassign back if you need any help.

Assignee: joequant => neoclust

Comment 3 David Walser 2016-09-08 22:26:29 CEST 
(In reply to David Walser from comment #1)
> Note that a 0.10.46 release with an additional security fix will be coming
> later this week:
> https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/

0.10.46 with a fix for CVE-2016-1669 is available.

Assignee: neoclust => mageia
Summary: nodejs new security issue fixed in bundled npm => nodejs new security issue fixed in bundled npm (also CVE-2016-1669)

Comment 4 David Walser 2016-09-08 23:20:36 CEST 
Updated package uploaded for Mageia 5.

Test procedure:
https://bugs.mageia.org/show_bug.cgi?id=11981#c5

Advisory:
========================

Updated nodejs package fixes security vulnerabilities:

Under certain conditions, V8 may improperly expand memory allocations in the
Zone::New function. This could potentially be used to cause a Denial of Service
via buffer overflow or as a trigger for a remote code execution (CVE-2016-1669).

The primary npm registry has used HTTP bearer tokens to authenticate requests
from the npm command-line interface. Due to a design flaw in the CLI, these
bearer tokens were sent with every request made by the CLI for logged-in users,
regardless of the destination of the request. This flaw allows an attacker to
set up an HTTP server that could collect authentication information they could
use to impersonate the users whose tokens they collected. This impersonation
would allow them to do anything the compromised users could do, including
publishing new versions of packages.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1669
https://nodejs.org/en/blog/release/v0.10.44/
https://nodejs.org/en/blog/release/v0.10.45/
https://nodejs.org/en/blog/release/v0.10.46/
https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/
https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/
========================

Updated packages in core/updates_testing:
========================
nodejs-0.10.46-1.mga5

from nodejs-0.10.46-1.mga5.src.rpm

Assignee: mageia => qa-bugs
Whiteboard: (none) => has_procedure

Comment 5 Dave Hodgins 2016-09-13 02:23:08 CEST 
Lots of warning and error messages from npm install azure-cli -g, but it works.
Validating.

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure advisory MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2016-09-21 22:39:11 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0307.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED