Fedora has issued an advisory on February 14: https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177184.html The issues are fixed upstream in 0.10.42 and 5.6.0 and are detailed in the upstream advisory from February 9: https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/ Both Mageia 5 and Cauldron are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
0.10.42 update checked into Mageia 5 SVN. Joseph, please take care of updating Cauldron.
Updated cauldron with 5.6.0
Status: NEW => RESOLVEDResolution: (none) => FIXED
Thanks, but it's only fixed in Cauldron. Updated package uploaded for Mageia 5. Test procedure: https://bugs.mageia.org/show_bug.cgi?id=11981#c5 Advisory: ======================== Updated nodejs package fixes security vulnerabilities: A request smuggling vulnerability was found in Node.js that can be exploited under certain unspecified circumstances (CVE-2016-2086). It was reported that HTTP header parsing in Node.js is vulnerable to response splitting attacks. While Node.js has been protecting against response splitting attacks by checking for CRLF characters, it is possible to compose response headers using Unicode characters that decompose to these characters, bypassing the checks previously in place (CVE-2016-2216). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2216 https://nodejs.org/en/blog/release/v0.10.42/ https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/ https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177184.html ======================== Updated packages in core/updates_testing: ======================== nodejs-0.10.42-1.mga5 from nodejs-0.10.42-1.mga5.src.rpm
Status: RESOLVED => REOPENEDCC: (none) => joequantVersion: Cauldron => 5Resolution: FIXED => (none)Assignee: joequant => qa-bugsWhiteboard: MGA5TOO => has_procedure
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure advisory
mga5 i586 in virtualbox Mate # urpmi nodejs Package nodejs-0.10.41-1.mga5.i586 is already installed Installed nodejs-0.10.42-1.mga5 Following procedure linked in comment #3: [lcl@cursa ~]$ node -e "console.log(process.versions)" { http_parser: '1.1', node: '0.10.42', v8: '3.14.5.9', ares: '1.10.0', uv: '0.10.36', zlib: '1.2.8', modules: '11', openssl: '1.0.2f' } [lcl@cursa ~]$ node -e "console.log('Hello World')" Hello World [lcl@cursa ~]$ sudo npm install azure-cli -g npm WARN deprecated This version of npm lacks support for important features, npm WARN deprecated such as scoped packages, offered by the primary npm npm WARN deprecated registry. Consider upgrading to at least npm@2, if not the npm WARN deprecated latest stable version. To upgrade to npm@2, run: npm WARN deprecated npm WARN deprecated npm -g install npm@latest-2 npm WARN deprecated npm WARN deprecated To upgrade to the latest stable version, run: npm WARN deprecated npm WARN deprecated npm -g install npm@latest npm WARN deprecated npm WARN deprecated (Depending on how Node.js was installed on your system, you npm WARN deprecated may need to prefix the preceding commands with `sudo`, or if npm WARN deprecated on Windows, run them from an Administrator prompt.) npm WARN deprecated npm WARN deprecated If you're running the version of npm bundled with npm WARN deprecated Node.js 0.10 LTS, be aware that the next version of 0.10 LTS npm WARN deprecated will be bundled with a version of npm@2, which has some small npm WARN deprecated backwards-incompatible changes made to `npm run-script` and npm WARN deprecated semver behavior. npm WARN engine galaxy@0.1.12: wanted: {"node":">=0.11.10"} (current: {"node":"0.10.42","npm":"1.4.29"}) > fibers@1.0.9 install /usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers > node build.js || nodejs build.js gyp WARN EACCES user "root" does not have permission to access the dev dir "/root/.node-gyp/0.10.42" EACCES attempting to reinstall using temporary dev dir "/usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers/.node-gyp" make: Entering directory '/usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers/build' CXX(target) Release/obj.target/fibers/src/fibers.o CXX(target) Release/obj.target/fibers/src/coroutine.o CC(target) Release/obj.target/fibers/src/libcoro/coro.o SOLINK_MODULE(target) Release/obj.target/fibers.node SOLINK_MODULE(target) Release/obj.target/fibers.node: Finished COPY Release/fibers.node make: Leaving directory '/usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers/build' Installed in `/usr/lib/node_modules/azure-cli/node_modules/streamline/node_modules/fibers/bin/linux-ia32-v8-3.14/fibers.node` /usr/bin/azure -> /usr/lib/node_modules/azure-cli/bin/azure azure-cli@0.9.15 /usr/lib/node_modules/azure-cli âââ number-is-nan@1.0.0 âââ easy-table@0.0.1 âââ eyes@0.1.8 âââ azure-arm-commerce@0.1.1 âââ xmlbuilder@0.4.3 âââ azure-asm-subscription@0.10.1 âââ swagger-schema-official@2.0.0-a33091a âââ through@2.3.4 âââ colors@0.6.2 ... snipped a number of lines ... âââ azure-arm-resource@0.10.7 âââ azure-arm-datalake-store@0.1.2 (node-uuid@1.4.7) âââ azure-asm-sql@0.10.1 âââ azure-asm-sb@0.10.1 âââ ssh-key-to-pem@0.11.0 (asn1@0.1.11, ctype@0.5.2) âââ azure-asm-website@0.10.1 âââ github@0.1.6 âââ azure-arm-insights@0.10.2 âââ omelette@0.1.0 ... and here ... âââ azure-arm-website@0.10.0 (azure-common@0.9.12) âââ azure-arm-compute@0.14.0 (ms-rest@1.9.0) âââ node-forge@0.6.23 âââ azure-arm-network@0.12.0 (ms-rest@1.9.0) âââ moment@2.6.0 âââ adal-node@0.1.17 (node-uuid@1.4.1, xmldom@0.1.22, xpath.js@1.0.6, jws@3.1.1, date-utils@1.2.18) âââ ms-rest-azure@1.9.0 (async@0.2.7, uuid@2.0.1, ms-rest@1.9.0, adal-node@0.1.16) âââ azure-storage@0.7.0 (extend@1.2.1, node-uuid@1.4.7, browserify-mime@1.2.9, validator@3.22.2, xml2js@0.2.7, readable-stream@2.0.5, request@2.57.0) âââ streamline@0.10.17 (galaxy@0.1.12, source-map@0.1.43, fibers@1.0.9) [lcl@cursa ~]$ azure --help info: _ _____ _ ___ ___ info: /_\ |_ / | | | _ \ __| info: _ ___/ _ \__/ /| |_| | / _|___ _ _ info: (___ /_/ \_\/___|\___/|_|_\___| _____) info: (_______ _ _) _ ______ _)_ _ info: (______________ _ ) (___ _ _) info: info: Microsoft Azure: Microsoft's Cloud Platform info: info: Tool version 0.9.15 help: help: Display help for a given command help: help [options] [command] help: help: Log in to an Azure subscription using Active Directory or a Microsoft account identity. etc. etc. OK for 32 bits.
CC: (none) => tarazed25
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OK
mga5 x86_64 Mate Updated nodejs-0.10.41-1.mga5 to nodejs-0.10.42-1.mga5 from updates testing. Followed the same procedure referenced in comment #3 and all the results were the same or similar. Validating this.
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory MGA5-32-OK => has_procedure advisory MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0080.html
Status: REOPENED => RESOLVEDResolution: (none) => FIXED