Nodejs has issued an advisory on September 23: https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/ SUSE has issued an advisory for this on October 6: https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html The issues are fixed in 0.10.47 and 4.6.0: https://nodejs.org/en/blog/release/v0.10.47/ https://nodejs.org/en/blog/release/v4.6.0/
Whiteboard: (none) => MGA5TOO
Assigning to the registered maintainer
CC: (none) => marja11Assignee: bugsquad => joequant
Fixed in Cauldron by Nicolas. Thanks!
CC: (none) => mageiaVersion: Cauldron => 5Whiteboard: MGA5TOO => (none)
Updated package uploaded for Mageia 5. Test procedure: https://bugs.mageia.org/show_bug.cgi?id=11981#c5 Advisory: ======================== Updated nodejs package fixes security vulnerability: Node.js has a defect that that may make HTTP response splitting possible under certain circumstances. If user-input is passed to the reason argument to writeHead() on an HTTP response, a new-line character may be used to inject additional responses (CVE-2016-5325). The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate (CVE-2016-7099). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5325 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7099 https://nodejs.org/en/blog/release/v0.10.47/ https://nodejs.org/en/blog/release/v0.10.48/ https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/ https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html ======================== Updated packages in core/updates_testing: ======================== nodejs-0.10.48-1.mga5 from nodejs-0.10.48-1.mga5.src.rpm
Whiteboard: (none) => has_procedureAssignee: joequant => qa-bugs
[root@x5v ~]# node -e "console.log('Hello World')" Hello World Same result on i586. Validating the update.
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure advisory MGA5-64-OK MGA5-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0204.html
Status: NEW => RESOLVEDResolution: (none) => FIXED