Bug 19550

Summary: nodejs new security issues CVE-2016-5325 and CVE-2016-7099
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, mageia, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/702896/
Whiteboard: has_procedure advisory MGA5-64-OK MGA5-32-OK
Source RPM: nodejs-4.5.0-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-10-07 19:10:49 CEST 
Nodejs has issued an advisory on September 23:
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/

SUSE has issued an advisory for this on October 6:
https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html

The issues are fixed in 0.10.47 and 4.6.0:
https://nodejs.org/en/blog/release/v0.10.47/
https://nodejs.org/en/blog/release/v4.6.0/
David Walser 2016-10-07 19:10:58 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-10-07 23:46:51 CEST 
Assigning to the registered maintainer

CC: (none) => marja11
Assignee: bugsquad => joequant

Comment 2 David Walser 2016-11-26 17:05:45 CET 
Fixed in Cauldron by Nicolas.  Thanks!

CC: (none) => mageia
Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 3 David Walser 2017-07-09 03:04:08 CEST 
Updated package uploaded for Mageia 5.

Test procedure:
https://bugs.mageia.org/show_bug.cgi?id=11981#c5

Advisory:
========================

Updated nodejs package fixes security vulnerability:

Node.js has a defect that that may make HTTP response splitting possible under
certain circumstances. If user-input is passed to the reason argument to
writeHead() on an HTTP response, a new-line character may be used to inject
additional responses (CVE-2016-5325).

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47 does not
properly handle wildcards in name fields of X.509 certificates, which allows
man-in-the-middle attackers to spoof servers via a crafted certificate
(CVE-2016-7099).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7099
https://nodejs.org/en/blog/release/v0.10.47/
https://nodejs.org/en/blog/release/v0.10.48/
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html
========================

Updated packages in core/updates_testing:
========================
nodejs-0.10.48-1.mga5

from nodejs-0.10.48-1.mga5.src.rpm

Whiteboard: (none) => has_procedure
Assignee: joequant => qa-bugs

Comment 4 Dave Hodgins 2017-07-13 04:03:40 CEST 
[root@x5v ~]# node -e "console.log('Hello World')"
Hello World

Same result on i586. Validating the update.

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure advisory MGA5-64-OK MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2017-07-13 11:22:06 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0204.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED