CVEs have been assigned for several issues discovered by the Node Security project: http://openwall.com/lists/oss-security/2014/05/13/1 http://openwall.com/lists/oss-security/2014/05/15/2 It sounds like these are maybe different components bundled into Node.js that contain the vulnerabilities. On the first message, the CVEs listed at the beginning refer to the following: CVE-2013-7370 CVE-2013-7371: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting More info at: http://seclists.org/oss-sec/2014/q2/151 CVE-2013-6393: https://nodesecurity.io/advisories/libyaml_heap-based_buffer_overflow_when_parsing_YAML_tags which we've fixed in our libyaml package already CVE-2013-4660: https://nodesecurity.io/advisories/JS-YAML_Deserialization_Code_Execution The second message linked at the beginning of this bug report gave CVEs to the other nodesecurity advisories. I'm not sure which Node.js versions may be affected or may contain fixes for these, but we may want to update Node.js for stable releases some time soon. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
In addition to this, there seems to be a problem in node.js environment. I have a script written in nodejs javascript and cannot run it directly, need to run "node myscript.js". It claims some file doesn't exist when run with "./myscript.js" (and with a #!/usr/bin/env node at the header).
CC: (none) => pkreuzt
Sorry, forget the preceding message, it was a line ending CR_LF issue caused by pastebin.
Here's a Fedora advisory for v8 that specifically mentions nodejs: https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136333.html from http://lwn.net/Vulnerabilities/608199/ The RedHat bug for that links to the upstream blog post: http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/
(In reply to David Walser from comment #3) > Here's a Fedora advisory for v8 that specifically mentions nodejs: > https://lists.fedoraproject.org/pipermail/package-announce/2014-August/ > 136333.html > > from http://lwn.net/Vulnerabilities/608199/ > > The RedHat bug for that links to the upstream blog post: > http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/ CVE request: http://openwall.com/lists/oss-security/2014/09/03/3
(In reply to David Walser from comment #4) > (In reply to David Walser from comment #3) > > Here's a Fedora advisory for v8 that specifically mentions nodejs: > > https://lists.fedoraproject.org/pipermail/package-announce/2014-August/ > > 136333.html > > > > from http://lwn.net/Vulnerabilities/608199/ > > > > The RedHat bug for that links to the upstream blog post: > > http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/ > > CVE request: > http://openwall.com/lists/oss-security/2014/09/03/3 Response from MITRE: http://openwall.com/lists/oss-security/2014/09/04/10 This has CVE-2014-5256 and the CVE is for nodejs itself, not v8. Damien, do you have plans to schedule a nodejs update for stable releases?
CVE request for more security issues: http://openwall.com/lists/oss-security/2014/09/24/1
CVE request for more security issues: http://openwall.com/lists/oss-security/2014/09/29/2
And a response: http://openwall.com/lists/oss-security/2014/09/30/10
Here's the changelog for the current version 0.9.33: http://nodejs.org/dist/v0.10.33/docs/changelog.html You can also see that in 0.9.31 they fixed CVE-2013-6668 in v8.
Thierry, I can see that you have imported a long list of packages into cauldron that depend on nodejs. I expect you to fix those security issues here or I'll do the evil move and drop nodejs as a big security concern for mga5 - the package needs a maintainer who cares about security, if we don't have such maintainer we don't need the package either..
CC: (none) => mageiaAssignee: mageia => thierry.vignaud
Version 0.10.33 was recently pushed in Cauldron, so it should be OK there for now. Mageia 3 and Mageia 4 also have the 0.10 branch, so we should be able to just update it, but I had asked on the dev ml about changes in the Cauldron spec and whether they should or should not be included in the mga3/mga4 update. At the very least, I just need some feedback on that.
CC: (none) => joequantVersion: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Last warning.. :)
Whiteboard: MGA3TOO => (none)
(In reply to Sander Lepik from comment #10) > Thierry, I can see that you have imported a long list of packages into > cauldron that depend on nodejs. I expect you to fix those security issues > here or I'll do the evil move and drop nodejs as a big security concern for > mga5 - the package needs a maintainer who cares about security, if we don't > have such maintainer we don't need the package either.. I've imported them so that we don't have broken deps
So you don't actually care if it's dropped from cauldron completely? As I don't want it to grow into another unmaintained security mess like the java stack currently is. We either have maintainer for it or we won't have it at all. Nobody else seems to care..
I was only interested in the mga5 mass rebuild. I tried to fixed as many deps as possible, shrinking broken deps from a 1Mb html page to a 8ko one. As far as I'm concerned, the nodejs maintainer would be dams. I think you should check the impacts using "urpmf --requires" for binary deps and "urpmf --requires --synthesis SRPMS/core/release/media_info/synt*cz" for source deps in order to identify which end packages would be affected Then you could mail this to dev ml & affected packagers, warning their packages would be at risk b/c of their nodejs deps.
Hardware: i586 => AllAssignee: thierry.vignaud => bugsquad
I'll update everything to the latest versions.
Upgraded nodejs-js-yaml to latest version to fix CVE-2013-4660
I've requests a freeze push for js-yaml that fixes that issue. nodejs-connect is not in Mageia. All of the outstanding CVE's in this list have been fixed by the version of nodejs in cauldron. I will backport the newest nodejs and js-yaml back into Mageia 4.
nodejs-js-yaml is not in Mageia 4 and neither is nodejs-js-connect. The only package that needs to be backported is nodejs itself, and I've got a build going right now. I'll send out an advisory and reassign the bug to QA. Also, let me know if there are any orphan packages for the nodejs stack. It turns out that nodejs is a critical piece of functionality for me, and so I will volunteer to maintain that stack.
I have uploaded a updated package for Mageia 4. Suggested advisory: ======================== Updated nodejs packages fix security vulnerabilities: A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the process aborting while parsing. (CVE-2014-5256) Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2013-6668) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5256 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6668 http://nodejs.org/dist/v0.10.33/docs/changelog.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-5256 ======================== Updated packages in core/updates_testing: ======================== nodejs-0.10.33-1.mga4 Source RPMs: nodejs-0.10.33-1.mga4.src.rpm
Reassigning to QA with advisory. I've gone through the other advisories and the nodejs package itself appears to be the only one that is in Mageia 4.
Assignee: bugsquad => qa-bugs
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10691#c0
Whiteboard: (none) => has_procedure
Testing complete mga4 64 Well done Joseph. $ node -e "console.log(process.versions)" { http_parser: '1.0', node: '0.10.33', v8: '3.14.5.9', ares: '1.10.0', uv: '0.10.29', zlib: '1.2.8', modules: '11', openssl: '1.0.1e' } $ node -e "console.log('Hello World')" Hello World # npm install azure-cli -g /usr/bin/azure -> /usr/lib/node_modules/azure-cli/bin/azure azure-cli@0.8.12 /usr/lib/node_modules/azure-cli âââ easy-table@0.0.1 âââ eyes@0.1.8 ...etc # azure --help info: _ _____ _ ___ ___ info: /_\ |_ / | | | _ \ __| info: _ ___/ _ \__/ /| |_| | / _|___ _ _ info: (___ /_/ \_\/___|\___/|_|_\___| _____) info: (_______ _ _) _ ______ _)_ _ info: (______________ _ ) (___ _ _) info: info: Microsoft Azure: Microsoft's Cloud Platform info: info: Tool version 0.8.12 ...etc # npm uninstall azure-cli -g unbuild azure-cli@0.8.12 # azure --help -bash: azure: command not found
Whiteboard: has_procedure => has_procedure mga4-64-ok
Thanks Joseph! Great job! Just some whitespace changes and minor references adjustment to the advisory. Suggested advisory: ======================== Updated nodejs package fixes security vulnerabilities: A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the process aborting while parsing (CVE-2014-5256). Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Node.js before 0.10.31, allow attackers to cause a denial of service or possibly have other impact via unknown vectors (CVE-2013-6668). The nodejs package has been updated to version 0.10.33 to fix these issues as well as several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5256 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6668 http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/ http://nodejs.org/dist/v0.10.33/docs/changelog.html https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136333.html
Testing complete mga3 32
ermmm mga4 32
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok mga4-32-ok
Validating. I'll upload the advisory shortly. Please push to updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure mga4-64-ok mga4-32-ok => advisory has_procedure mga4-64-ok mga4-32-ok
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0516.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/625500/