Node.js has issued an advisory on March 31: https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/ The issue is fixed in nodejs 0.44: https://nodejs.org/en/blog/release/v0.10.44/ The npm version string was fixed in nodejs 0.45: https://nodejs.org/en/blog/release/v0.10.45/ There were also other bugs fixed since our last update, in nodejs 0.43: https://nodejs.org/en/blog/release/v0.10.43/ The openssl issues do not affect us.
Note that a 0.10.46 release with an additional security fix will be coming later this week: https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/
Re-assigning to neoclust. Feel free to reassign back if you need any help.
Assignee: joequant => neoclust
(In reply to David Walser from comment #1) > Note that a 0.10.46 release with an additional security fix will be coming > later this week: > https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/ 0.10.46 with a fix for CVE-2016-1669 is available.
Assignee: neoclust => mageiaSummary: nodejs new security issue fixed in bundled npm => nodejs new security issue fixed in bundled npm (also CVE-2016-1669)
Updated package uploaded for Mageia 5. Test procedure: https://bugs.mageia.org/show_bug.cgi?id=11981#c5 Advisory: ======================== Updated nodejs package fixes security vulnerabilities: Under certain conditions, V8 may improperly expand memory allocations in the Zone::New function. This could potentially be used to cause a Denial of Service via buffer overflow or as a trigger for a remote code execution (CVE-2016-1669). The primary npm registry has used HTTP bearer tokens to authenticate requests from the npm command-line interface. Due to a design flaw in the CLI, these bearer tokens were sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This flaw allows an attacker to set up an HTTP server that could collect authentication information they could use to impersonate the users whose tokens they collected. This impersonation would allow them to do anything the compromised users could do, including publishing new versions of packages. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1669 https://nodejs.org/en/blog/release/v0.10.44/ https://nodejs.org/en/blog/release/v0.10.45/ https://nodejs.org/en/blog/release/v0.10.46/ https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/ https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/ ======================== Updated packages in core/updates_testing: ======================== nodejs-0.10.46-1.mga5 from nodejs-0.10.46-1.mga5.src.rpm
Assignee: mageia => qa-bugsWhiteboard: (none) => has_procedure
Lots of warning and error messages from npm install azure-cli -g, but it works. Validating.
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure advisory MGA5-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0307.html
Status: NEW => RESOLVEDResolution: (none) => FIXED