OpenSuSE has issued an advisory on December 12: http://lists.opensuse.org/opensuse-updates/2013-12/msg00051.html Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Fedora has issued an advisory for this on October 19: https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119798.html It looks like the issue was fixed upstream in 0.10.21. There are also patches.
URL: (none) => http://lwn.net/Vulnerabilities/572104/Version: Cauldron => 3Source RPM: nodejs-0.10.22-1.mga4.src.rpm => nodejs-0.10.3-2.mga3.src.rpmWhiteboard: MGA3TOO => (none)
My bad: nodejs-0.10.21-1.mga3.src.rpm 23-Oct-2013 13:34 13M I forget to ask QA for testing... WIP.
Status: NEW => ASSIGNED
Hardware: i586 => AllCVE: (none) => CVE-2013-4450 CVE-2013-6639 CVE-2013-6640Summary: nodejs new security issue CVE-2013-4450 => nodejs new security issue CVE-2013-4450 CVE-2013-6639 CVE-2013-6640
CVE-2013-6639 and CVE-2013-6640 fixed in 0.10.24 upstream: http://blog.nodejs.org/2013/12/19/node-v0-10-24-stable/
Upstream blog entry about CVE-2013-4450: http://blog.nodejs.org/2013/10/22/cve-2013-4450-http-server-pipeline-flood-dos/
Advisory ==================== This update of nodejs is to fix 3 CVE: CVE-2013-4450 CVE-2013-6639 CVE-2013-6640 as requested on mga#11981. Packages ==================== nodejs-0.10.24-1.mga3.src.rpm Steps to Reproduce ==================== - Install Mageia 3 - Install nodejs (v0.10.3 from "core/release" - Use it if you know how it works! [1] - Install nodejs (v0.10.24) from "core/updates_testing" - Use it and check it still works! [1][2] [1] Example on "how to check components version ": $ node -e "console.log(process.versions)" Example on "how to check if installation went well": $ node -e "console.log('Hello World')" [2] Example on "how to check": first # npm install azure-cli -g then $ azure --help
Assignee: mageia => qa-bugs
Thanks Damien! Advisory: ======================== Updated nodejs package fixes security vulnerabilities: A denial of service flaw was found in the way Node.js handled pipelined HTTP requests. A remote attacker could use this flaw to send an excessive amount of HTTP requests over a network connection, causing Node.js to use an excessive amount of memory and possibly exit when all available memory is exhausted (CVE-2013-4450). Denial of service issues in the bundled v8 JavaScript library (CVE-2013-6639, CVE-2013-6640). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6640 http://blog.nodejs.org/2013/10/22/cve-2013-4450-http-server-pipeline-flood-dos/ http://blog.nodejs.org/2013/12/19/node-v0-10-24-stable/ https://rhn.redhat.com/errata/RHSA-2013-1842.html ======================== Updated packages in core/updates_testing: ======================== nodejs-0.10.24-1.mga3 from nodejs-0.10.24-1.mga3.src.rpm
CC: (none) => mageiaSeverity: major => critical
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Testing complete on Mageia 3 i586 and x86_64 Someone from the sysadmin team please push 11981.adv to updates.
Keywords: (none) => validated_updateWhiteboard: advisory => advisory MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0007.html
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
mga5 i586 in virtualbox Mate # urpmi nodejs Package nodejs-0.10.41-1.mga5.i586 is already installed Installed nodejs-0.10.42-1.mga5 Following procedure linked in comment #3: [lcl@cursa ~]$ node -e "console.log(process.versions)" { http_parser: '1.1', node: '0.10.42', v8: '3.14.5.9', ares: '1.10.0', uv: '0.10.36', zlib: '1.2.8', modules: '11', openssl: '1.0.2f' } [lcl@cursa ~]$ node -e "console.log('Hello World')" Hello World [lcl@cursa ~]$ sudo npm install azure-cli -g npm WARN deprecated This version of npm lacks support for important features, npm WARN deprecated such as scoped packages, offered by the primary npm npm WARN deprecated registry. Consider upgrading to at least npm@2, if not the npm WARN deprecated latest stable version. To upgrade to npm@2, run: npm WARN deprecated npm WARN deprecated npm -g install npm@latest-2 npm WARN deprecated npm WARN deprecated To upgrade to the latest stable version, run: npm WARN deprecated npm WARN deprecated npm -g install npm@latest npm WARN deprecated npm WARN deprecated (Depending on how Node.js was installed on your system, you npm WARN deprecated may need to prefix the preceding commands with `sudo`, or if npm WARN deprecated on Windows, run them from an Administrator prompt.) npm WARN deprecated npm WARN deprecated If you're running the version of npm bundled with npm WARN deprecated Node.js 0.10 LTS, be aware that the next version of 0.10 LTS npm WARN deprecated will be bundled with a version of npm@2, which has some small npm WARN deprecated backwards-incompatible changes made to `npm run-script` and npm WARN deprecated semver behavior. npm WARN engine galaxy@0.1.12: wanted: {"node":">=0.11.10"} (current: {"node":"0.10.42","npm":"1.4.29"}) > fibers@1.0.9 install /usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers > node build.js || nodejs build.js gyp WARN EACCES user "root" does not have permission to access the dev dir "/root/.node-gyp/0.10.42" EACCES attempting to reinstall using temporary dev dir "/usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers/.node-gyp" make: Entering directory '/usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers/build' CXX(target) Release/obj.target/fibers/src/fibers.o CXX(target) Release/obj.target/fibers/src/coroutine.o CC(target) Release/obj.target/fibers/src/libcoro/coro.o SOLINK_MODULE(target) Release/obj.target/fibers.node SOLINK_MODULE(target) Release/obj.target/fibers.node: Finished COPY Release/fibers.node make: Leaving directory '/usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers/build' Installed in `/usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers/bin/linux-ia32-v8-3.14/fibers.node` /usr/bin/azure -> /usr/lib/node_modules/azure-cli/bin/azure azure-cli@0.9.15 /usr/lib/node_modules/azure-cli âââ number-is-nan@1.0.0 âââ easy-table@0.0.1 âââ eyes@0.1.8 âââ azure-arm-commerce@0.1.1 âââ xmlbuilder@0.4.3 âââ azure-asm-subscription@0.10.1 âââ swagger-schema-official@2.0.0-a33091a âââ through@2.3.4 âââ colors@0.6.2 ... snipped a number of lines ... âââ azure-arm-resource@0.10.7 âââ azure-arm-datalake-store@0.1.2 (node-uuid@1.4.7) âââ azure-asm-sql@0.10.1 âââ azure-asm-sb@0.10.1 âââ ssh-key-to-pem@0.11.0 (asn1@0.1.11, ctype@0.5.2) âââ azure-asm-website@0.10.1 âââ github@0.1.6 âââ azure-arm-insights@0.10.2 âââ omelette@0.1.0 ... and here ... âââ azure-arm-website@0.10.0 (azure-common@0.9.12) âââ azure-arm-compute@0.14.0 (ms-rest@1.9.0) âââ node-forge@0.6.23 âââ azure-arm-network@0.12.0 (ms-rest@1.9.0) âââ moment@2.6.0 âââ adal-node@0.1.17 (node-uuid@1.4.1, xmldom@0.1.22, xpath.js@1.0.6, jws@3.1.1, date-utils@1.2.18) âââ ms-rest-azure@1.9.0 (async@0.2.7, uuid@2.0.1, ms-rest@1.9.0, adal-node@0.1.16) âââ azure-storage@0.7.0 (extend@1.2.1, node-uuid@1.4.7, browserify-mime@1.2.9, validator@3.22.2, xml2js@0.2.7, readable-stream@2.0.5, request@2.57.0) âââ streamline@0.10.17 (galaxy@0.1.12, source-map@0.1.43, fibers@1.0.9) [lcl@cursa ~]$ azure --help info: _ _____ _ ___ ___ info: /_\ |_ / | | | _ \ __| info: _ ___/ _ \__/ /| |_| | / _|___ _ _ info: (___ /_/ \_\/___|\___/|_|_\___| _____) info: (_______ _ _) _ ______ _)_ _ info: (______________ _ ) (___ _ _) info: info: Microsoft Azure: Microsoft's Cloud Platform info: info: Tool version 0.9.15 help: help: Display help for a given command help: help [options] [command] help: help: Log in to an Azure subscription using Active Directory or a Microsoft account identity. etc. etc. OK for 32 bits.
CC: (none) => tarazed25
Rats. Wrong bug. Stupid boy! Can somebody erase comment #9?
(In reply to Len Lawrence from comment #10) > Rats. Wrong bug. Stupid boy! Can somebody erase comment #9? Nope, just re-post it in the correct bug.