Fedora has issued an advisory on February 20: https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150526.html The issue is in the bundled libuv and is fixed in nodejs 0.10.36. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Joseph, you promised to keep nodejs patched for security issues, please confirm that you are still willing to do so or I'm going to drop it for good :)
CC: (none) => mageia
Will fix
Fixed in cauldron. Will update MGA4
It's not fixed in Cauldron. Nothing was committed in SVN.
The libuv versioning confused me. This CVE was fixed in libuv 0.10.36, which is bundled in nodejs as of nodejs 0.10.37. nodejs-0.10.38-1.mga5 uploaded for Cauldron fixes this. Thanks Joseph!
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated nodejs package fixes security vulnerability: It was found that libuv does not call setgoups before calling setuid/setgid. This may potentially allow an attacker to gain elevated privileges (CVE-2015-0278). The libuv library is bundled with nodejs, and a fixed version of libuv is included with nodejs as of version 0.10.37. The nodejs package has been updated to version 0.10.38 to fix this issue, as well as several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0278 http://blog.nodejs.org/2014/12/17/node-v0-10-34-stable/ http://blog.nodejs.org/2014/12/23/node-v0-10-35-stable/ http://blog.nodejs.org/2015/01/26/node-v0-10-36-stable/ http://blog.nodejs.org/2015/03/14/node-v0-10-37-stable/ http://blog.nodejs.org/2015/03/23/node-v0-10-38-maintenance/ https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150526.html ======================== Updated packages in core/updates_testing: ======================== nodejs-0.10.38-1.mga4 from nodejs-0.10.38-1.mga4.src.rpm
CC: (none) => joequantAssignee: joequant => qa-bugs
There's a test procedure here: https://bugs.mageia.org/show_bug.cgi?id=11981#c5
CC: (none) => shlomifWhiteboard: (none) => has_procedure
Test procedure runs fine on a MGA4-x86-64 VBox VM. Adding MGA4-64-OK.
Whiteboard: has_procedure => MGA4-64-OK has_procedure
Test procedure works fine on a 32-bit i586 VBox VM too. Adding "MGA4-32-OK".
Whiteboard: MGA4-64-OK has_procedure => MGA4-64-OK has_procedure MGA4-32-OK
Thanks Shlomi Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0186.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
FYI. I tried with libuv-1.4.2 but nodejs-0.10.38 did not like it.
CC: (none) => oe
I don't know anything about libuv, but v8 is another library that's bundled with nodejs, and I know that it isn't designed to be used as a system library. I wouldn't be surprised if libuv was the same way.