18705 – nodejs new security issue CVE-2016-1669

Bug 18705 - nodejs new security issue CVE-2016-1669

Summary: nodejs new security issue CVE-2016-1669

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Nicolas Lécureuil
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	19282
	Show dependency tree / graph

Reported:	2016-06-14 14:34 CEST by David Walser
Modified:	2016-09-08 22:27 CEST (History)
CC List:	0 users

See Also:
Source RPM:	nodejs-4.4.4-3.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-06-14 14:34:29 CEST

Upstream has announced that they will fix security issues later this week:
https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/

The issues will be fixed in 4.5.0.

There was also a 4.4.5 bugfix release in the interim:
https://nodejs.org/en/blog/release/v4.4.5/

The security issues also affect Mageia 5, and can be handled in Bug 18481.

Comment 1 Joseph Wang 2016-06-15 04:44:28 CEST

Reassigning to neoclust since he has volunteered to maintain the nodejs stack.  I'd be willing to take this issue if he doesn't have the cycles to do it.

Assignee: joequant => neoclust

Comment 2 David Walser 2016-06-28 18:20:19 CEST

CVE-2016-5325 will be fixed at a later time according to upstream's announcement on June 23.  CVE-2016-1669 has been fixed in 4.4.6 and 0.10.46.

Assignee: neoclust => mageia
Summary: nodejs new security issue CVE-2016-5325 => nodejs new security issue CVE-2016-1669

David Walser 2016-09-08 19:26:01 CEST

Blocks: (none) => 19282

Comment 3 David Walser 2016-09-08 22:27:04 CEST

nodejs-4.5.0-1.mga6 uploaded for Cauldron.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.