| Summary: | nodejs new security issues CVE-2020-8265 and CVE-2020-8287 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | mageia, nicolas.salguero, ouaurelien, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | nodejs-10.22.1-9.mga7.src.rpm | CVE: | CVE-2020-8265, CVE-2020-8287 |
| Status comment: | |||
|
Description
Nicolas Salguero
2021-01-05 09:14:59 CET
Nicolas Salguero
2021-01-05 09:16:58 CET
Severity:
normal =>
major
Nicolas Salguero
2021-01-05 09:33:58 CET
Assignee:
nicolas.salguero =>
joequant fixed in cauldron Version:
Cauldron =>
7 Debian has issued an advisory for this on January 6: https://www.debian.org/security/2021/dsa-4826 Fedora has issued an advisory for this on January 10: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/ Suggested advisory: ======================== The updated packages fix security vulnerabilities: Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits. (CVE-2020-8265) Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling. (CVE-2020-8287) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8265 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8287 https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ https://nodejs.org/en/blog/release/v10.23.1/ https://www.debian.org/security/2021/dsa-4826 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/ ======================== Updated packages in core/updates_testing: ======================== nodejs-10.23.1-10.mga7 nodejs-devel-10.23.1-10.mga7 nodejs-libs-10.23.1-10.mga7 v8-devel-6.8.275.32-10.mga7 npm-6.14.10-1.10.23.1.10.mga7 nodejs-docs-10.23.1-10.mga7 from SRPM: nodejs-10.23.1-10.mga7.src.rpm Assignee:
joequant =>
qa-bugs MGA7 x86_64 Plasma Desktop No installation issues. Ref bug 21330 Comment 51 for testing $ node main.js Server running at http://127.0.0.1:8081/ point browser to http://localhost:8081/ shows "Hello World" So OK. From main.js attachment 11889 [details]. MGA7-64-OK Validating. Advisory pushed to SVN. CC:
(none) =>
ouaurelien
Aurelien Oudelet
2021-02-05 10:15:05 CET
CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0069.html Status:
ASSIGNED =>
RESOLVED |