19550 – nodejs new security issues CVE-2016-5325 and CVE-2016-7099

Bug 19550 - nodejs new security issues CVE-2016-5325 and CVE-2016-7099

Summary: nodejs new security issues CVE-2016-5325 and CVE-2016-7099

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/702896/
Whiteboard:	has_procedure advisory MGA5-64-OK MGA...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-10-07 19:10 CEST by David Walser
Modified:	2017-07-13 11:22 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	nodejs-4.5.0-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-10-07 19:10:49 CEST

Nodejs has issued an advisory on September 23:
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/

SUSE has issued an advisory for this on October 6:
https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html

The issues are fixed in 0.10.47 and 4.6.0:
https://nodejs.org/en/blog/release/v0.10.47/
https://nodejs.org/en/blog/release/v4.6.0/

David Walser 2016-10-07 19:10:58 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-10-07 23:46:51 CEST

Assigning to the registered maintainer

CC: (none) => marja11
Assignee: bugsquad => joequant

Comment 2 David Walser 2016-11-26 17:05:45 CET

Fixed in Cauldron by Nicolas.  Thanks!

CC: (none) => mageia
Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 3 David Walser 2017-07-09 03:04:08 CEST

Updated package uploaded for Mageia 5.

Test procedure:
https://bugs.mageia.org/show_bug.cgi?id=11981#c5

Advisory:
========================

Updated nodejs package fixes security vulnerability:

Node.js has a defect that that may make HTTP response splitting possible under
certain circumstances. If user-input is passed to the reason argument to
writeHead() on an HTTP response, a new-line character may be used to inject
additional responses (CVE-2016-5325).

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47 does not
properly handle wildcards in name fields of X.509 certificates, which allows
man-in-the-middle attackers to spoof servers via a crafted certificate
(CVE-2016-7099).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7099
https://nodejs.org/en/blog/release/v0.10.47/
https://nodejs.org/en/blog/release/v0.10.48/
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html
========================

Updated packages in core/updates_testing:
========================
nodejs-0.10.48-1.mga5

from nodejs-0.10.48-1.mga5.src.rpm

Whiteboard: (none) => has_procedure
Assignee: joequant => qa-bugs

Comment 4 Dave Hodgins 2017-07-13 04:03:40 CEST

[root@x5v ~]# node -e "console.log('Hello World')"
Hello World

Same result on i586. Validating the update.

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure advisory MGA5-64-OK MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2017-07-13 11:22:06 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0204.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.