Bug 11981 - nodejs new security issue CVE-2013-4450 CVE-2013-6639 CVE-2013-6640
Summary: nodejs new security issue CVE-2013-4450 CVE-2013-6639 CVE-2013-6640
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/572104/
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Keywords: validated_update
Depends on:
Reported: 2013-12-13 17:36 CET by David Walser
Modified: 2016-02-17 23:48 CET (History)
5 users (show)

See Also:
Source RPM: nodejs-0.10.3-2.mga3.src.rpm
CVE: CVE-2013-4450 CVE-2013-6639 CVE-2013-6640
Status comment:


Description David Walser 2013-12-13 17:36:05 CET
OpenSuSE has issued an advisory on December 12:


Steps to Reproduce:
David Walser 2013-12-13 17:36:10 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2013-12-13 18:24:24 CET
Fedora has issued an advisory for this on October 19:

It looks like the issue was fixed upstream in 0.10.21.  There are also patches.

URL: (none) => http://lwn.net/Vulnerabilities/572104/
Version: Cauldron => 3
Source RPM: nodejs-0.10.22-1.mga4.src.rpm => nodejs-0.10.3-2.mga3.src.rpm
Whiteboard: MGA3TOO => (none)

Comment 2 Damien Lallement 2013-12-23 15:33:45 CET
My bad: nodejs-0.10.21-1.mga3.src.rpm	23-Oct-2013 13:34	 13M
I forget to ask QA for testing... WIP.


Damien Lallement 2013-12-23 15:41:43 CET

Hardware: i586 => All
CVE: (none) => CVE-2013-4450 CVE-2013-6639 CVE-2013-6640
Summary: nodejs new security issue CVE-2013-4450 => nodejs new security issue CVE-2013-4450 CVE-2013-6639 CVE-2013-6640

Comment 3 David Walser 2013-12-23 15:48:09 CET
CVE-2013-6639 and CVE-2013-6640 fixed in 0.10.24 upstream:
Comment 4 David Walser 2013-12-23 15:49:17 CET
Upstream blog entry about CVE-2013-4450:
Comment 5 Damien Lallement 2013-12-23 16:02:24 CET
This update of nodejs is to fix 3 CVE: CVE-2013-4450 CVE-2013-6639 CVE-2013-6640 as requested on mga#11981.


Steps to Reproduce
- Install Mageia 3
- Install nodejs (v0.10.3 from "core/release"
- Use it if you know how it works! [1]
- Install nodejs (v0.10.24) from "core/updates_testing"
- Use it and check it still works! [1][2]

Example on "how to check components version ":
$ node -e "console.log(process.versions)"
Example on "how to check if installation went well":
$ node -e "console.log('Hello World')"

Example on "how to check":
# npm install azure-cli -g
$ azure --help

Assignee: mageia => qa-bugs

Comment 6 David Walser 2013-12-23 16:36:08 CET
Thanks Damien!


Updated nodejs package fixes security vulnerabilities:

A denial of service flaw was found in the way Node.js handled pipelined
HTTP requests. A remote attacker could use this flaw to send an excessive
amount of HTTP requests over a network connection, causing Node.js to use
an excessive amount of memory and possibly exit when all available memory
is exhausted (CVE-2013-4450).

Denial of service issues in the bundled v8 JavaScript library (CVE-2013-6639,


Updated packages in core/updates_testing:

from nodejs-0.10.24-1.mga3.src.rpm

CC: (none) => mageia
Severity: major => critical

Dave Hodgins 2014-01-02 17:49:17 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 7 Dave Hodgins 2014-01-05 21:06:40 CET
Testing complete on Mageia 3 i586 and x86_64

Someone from the sysadmin team please push 11981.adv to updates.

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2014-01-06 02:38:25 CET
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Comment 9 Len Lawrence 2016-02-17 23:45:27 CET
mga5  i586 in virtualbox  Mate

# urpmi nodejs
Package nodejs-0.10.41-1.mga5.i586 is already installed
Installed nodejs-0.10.42-1.mga5
Following procedure linked in comment #3:
[lcl@cursa ~]$ node -e "console.log(process.versions)"
{ http_parser: '1.1',
  node: '0.10.42',
  v8: '',
  ares: '1.10.0',
  uv: '0.10.36',
  zlib: '1.2.8',
  modules: '11',
  openssl: '1.0.2f' }
[lcl@cursa ~]$ node -e "console.log('Hello World')"
Hello World
[lcl@cursa ~]$ sudo npm install azure-cli -g
npm WARN deprecated This version of npm lacks support for important features,
npm WARN deprecated such as scoped packages, offered by the primary npm
npm WARN deprecated registry. Consider upgrading to at least npm@2, if not the
npm WARN deprecated latest stable version. To upgrade to npm@2, run:
npm WARN deprecated 
npm WARN deprecated   npm -g install npm@latest-2
npm WARN deprecated 
npm WARN deprecated To upgrade to the latest stable version, run:
npm WARN deprecated 
npm WARN deprecated   npm -g install npm@latest
npm WARN deprecated 
npm WARN deprecated (Depending on how Node.js was installed on your system, you
npm WARN deprecated may need to prefix the preceding commands with `sudo`, or if
npm WARN deprecated on Windows, run them from an Administrator prompt.)
npm WARN deprecated 
npm WARN deprecated If you're running the version of npm bundled with
npm WARN deprecated Node.js 0.10 LTS, be aware that the next version of 0.10 LTS
npm WARN deprecated will be bundled with a version of npm@2, which has some small
npm WARN deprecated backwards-incompatible changes made to `npm run-script` and
npm WARN deprecated semver behavior.
npm WARN engine galaxy@0.1.12: wanted: {"node":">=0.11.10"} (current: {"node":"0.10.42","npm":"1.4.29"})
> fibers@1.0.9 install /usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers
> node build.js || nodejs build.js

gyp WARN EACCES user "root" does not have permission to access the dev dir "/root/.node-gyp/0.10.42"
EACCES attempting to reinstall using temporary dev dir "/usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers/.node-gyp"
make: Entering directory '/usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers/build'
  CXX(target) Release/obj.target/fibers/src/fibers.o
  CXX(target) Release/obj.target/fibers/src/coroutine.o
  CC(target) Release/obj.target/fibers/src/libcoro/coro.o
  SOLINK_MODULE(target) Release/obj.target/fibers.node
  SOLINK_MODULE(target) Release/obj.target/fibers.node: Finished
  COPY Release/fibers.node
make: Leaving directory '/usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers/build'
Installed in `/usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers/bin/linux-ia32-v8-3.14/fibers.node`
/usr/bin/azure -> /usr/lib/node_modules/azure-cli/bin/azure
azure-cli@0.9.15 /usr/lib/node_modules/azure-cli
âââ number-is-nan@1.0.0
âââ easy-table@0.0.1
âââ eyes@0.1.8
âââ azure-arm-commerce@0.1.1
âââ xmlbuilder@0.4.3
âââ azure-asm-subscription@0.10.1
âââ swagger-schema-official@2.0.0-a33091a
âââ through@2.3.4
âââ colors@0.6.2

... snipped a number of lines ...

âââ azure-arm-resource@0.10.7
âââ azure-arm-datalake-store@0.1.2 (node-uuid@1.4.7)
âââ azure-asm-sql@0.10.1
âââ azure-asm-sb@0.10.1
âââ ssh-key-to-pem@0.11.0 (asn1@0.1.11, ctype@0.5.2)
âââ azure-asm-website@0.10.1
âââ github@0.1.6
âââ azure-arm-insights@0.10.2
âââ omelette@0.1.0

... and here ...

âââ azure-arm-website@0.10.0 (azure-common@0.9.12)
âââ azure-arm-compute@0.14.0 (ms-rest@1.9.0)
âââ node-forge@0.6.23
âââ azure-arm-network@0.12.0 (ms-rest@1.9.0)
âââ moment@2.6.0
âââ adal-node@0.1.17 (node-uuid@1.4.1, xmldom@0.1.22, xpath.js@1.0.6, jws@3.1.1, date-utils@1.2.18)
âââ ms-rest-azure@1.9.0 (async@0.2.7, uuid@2.0.1, ms-rest@1.9.0, adal-node@0.1.16)
âââ azure-storage@0.7.0 (extend@1.2.1, node-uuid@1.4.7, browserify-mime@1.2.9, validator@3.22.2, xml2js@0.2.7, readable-stream@2.0.5, request@2.57.0)
âââ streamline@0.10.17 (galaxy@0.1.12, source-map@0.1.43, fibers@1.0.9)
[lcl@cursa ~]$ azure --help
info:             _    _____   _ ___ ___
info:            /_\  |_  / | | | _ \ __|
info:      _ ___/ _ \__/ /| |_| |   / _|___ _ _
info:    (___  /_/ \_\/___|\___/|_|_\___| _____)
info:       (_______ _ _)         _ ______ _)_ _ 
info:              (______________ _ )   (___ _ _)
info:    Microsoft Azure: Microsoft's Cloud Platform
info:    Tool version 0.9.15
help:    Display help for a given command
help:      help [options] [command]
help:    Log in to an Azure subscription using Active Directory or a Microsoft account identity.

etc. etc.

OK for 32 bits.

CC: (none) => tarazed25

Comment 10 Len Lawrence 2016-02-17 23:47:18 CET
Rats.  Wrong bug.  Stupid boy!  Can somebody erase comment #9?
Comment 11 David Walser 2016-02-17 23:48:00 CET
(In reply to Len Lawrence from comment #10)
> Rats.  Wrong bug.  Stupid boy!  Can somebody erase comment #9?

Nope, just re-post it in the correct bug.

Note You need to log in before you can comment on or make changes to this bug.