Bug 21330 - nodejs new security issues fixed upstream in 6.11.1
Summary: nodejs new security issues fixed upstream in 6.11.1
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2017-07-23 21:47 CEST by David Walser
Modified: 2017-09-06 15:09 CEST (History)
1 user (show)

See Also:
Source RPM: nodejs-6.10.3-2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-07-23 21:47:10 CEST
Fedora has issued an advisory today (July 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2AXESDBS3WP5K4PFYD3EMDD3R662MMG6/

This follows from the upstream advisory on July 11:
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/

For 6.x, the issues were fixed in 6.11.1:
https://nodejs.org/en/blog/release/v6.11.1/

Mageia 5 and Mageia 6 are also affected.

0.10.x is no longer supported, so we should recommend users upgrade to Mageia 6.
David Walser 2017-07-23 21:47:18 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Nicolas Lécureuil 2017-07-26 18:36:54 CEST
6.11.1 pushed in updates_testing
and pushed in cauldron too

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Nicolas Lécureuil 2017-07-26 18:37:03 CEST

Assignee: mageia => qa-bugs

Comment 2 David Walser 2017-07-26 22:21:14 CEST
Assigning back to Nicolas.  Neither update built successfully.

Assignee: qa-bugs => mageia
Whiteboard: (none) => MGA6TOO
CC: (none) => qa-bugs
Version: 6 => Cauldron

Comment 3 Nicolas Lécureuil 2017-07-27 00:34:19 CEST
let's validate this  the cauldron package will be pushed when rpm will be fixed, it is on my todo, i won't forget.


src.rpm http-parser-2.7.1-1.mga6 and nodejs-6.11.1-1.1.mga6

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Nicolas Lécureuil 2017-07-27 00:34:30 CEST

Assignee: mageia => qa-bugs

Comment 4 David Walser 2017-07-27 01:57:49 CEST
Advisory:
========================

Updated nodejs packages fix security vulnerabilities:

Node.js was susceptible to hash flooding remote DoS attacks as the HashTable
seed was constant across a given released version of Node.js. This was a result
of building with V8 snapshots enabled by default which caused the initially
randomized seed to be overwritten on startup (CVE-2017-11499).

Parsing of NAPTR responses by the bundled c-ares library could be triggered to
read memory outside of the given input buffer through carefully crafted DNS
response packets (CVE-2017-1000381).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
https://nodejs.org/en/blog/release/v6.11.1/
========================

Updated packages in core/updates_testing:
========================
libhttp-parser2-2.7.1-1.mga6
libhttp-parser-devel-2.7.1-1.mga6
nodejs-6.11.1-1.1.mga6
nodejs-devel-6.11.1-1.1.mga6
npm-3.10.10-1.6.11.1.1.mga6
nodejs-docs-6.11.1-1.1.mga6

from SRPMS:
http-parser-2.7.1-1.mga6.src.rpm
nodejs-6.11.1-1.1.mga6.src.rpm
David Walser 2017-07-27 01:58:07 CEST

CC: qa-bugs => (none)

Comment 5 David Walser 2017-07-29 23:18:52 CEST
Nicolas is working on fixing dependency issues from the update.  Adding the feedback marker until that's completed.  Note to self also to add a bit to the advisory about Mageia 5 users should update to Mageia 6 as 0.10.x is unsupported.

Whiteboard: (none) => feedback

Comment 6 Nicolas Lécureuil 2017-08-11 01:27:24 CEST
new src.rpm nodejs-6.11.1-1.3.mga6 ( the install issue )

CC: (none) => mageia

Comment 7 David Walser 2017-08-11 02:08:57 CEST
Advisory:
========================

Updated nodejs packages fix security vulnerabilities:

Node.js was susceptible to hash flooding remote DoS attacks as the HashTable
seed was constant across a given released version of Node.js. This was a result
of building with V8 snapshots enabled by default which caused the initially
randomized seed to be overwritten on startup (CVE-2017-11499).

Parsing of NAPTR responses by the bundled c-ares library could be triggered to
read memory outside of the given input buffer through carefully crafted DNS
response packets (CVE-2017-1000381).

Note that Mageia 5 is also affected, but the 0.10.x branch of nodejs is no
longer supported.  Users of nodejs should upgrade to Mageia 6.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
https://nodejs.org/en/blog/release/v6.11.1/
========================

Updated packages in core/updates_testing:
========================
libhttp-parser2-2.7.1-1.mga6
libhttp-parser-devel-2.7.1-1.mga6
nodejs-6.11.1-1.8.mga6
nodejs-devel-6.11.1-1.8.mga6
npm-3.10.10-1.8.mga6
nodejs-docs-6.11.1-1.8.mga6

from SRPMS:
http-parser-2.7.1-1.mga6.src.rpm
nodejs-6.11.1-1.8.mga6.src.rpm
David Walser 2017-08-11 02:09:03 CEST

Whiteboard: feedback => (none)

Comment 8 David Walser 2017-08-12 00:11:03 CEST
Package was rebuilt to change the release tag for some reason.

nodejs-6.11.1-2.1.mga6
nodejs-devel-6.11.1-2.1.mga6
npm-3.10.10-2.1.mga6
nodejs-docs-6.11.1-2.1.mga6

from nodejs-6.11.1-2.1.mga6.src.rpm
Comment 9 Manuel Hiebel 2017-08-16 20:55:59 CEST
still impossible to update 

# urpmi --debug nodejs
(...)
getting exclusive lock on rpm
search_packages: found nodejs-6.10.3-2.mga6.x86_64 matching nodejs
search_packages: found nodejs-6.11.1-2.1.mga6.x86_64 matching nodejs
found package(s): nodejs-6.10.3-2.mga6.x86_64 nodejs-6.11.1-2.1.mga6.x86_64
opening rpmdb (root=, write=)
chosen nodejs-6.11.1-2.1.mga6.x86_64 for nodejs|nodejs
selecting nodejs-6.11.1-2.1.mga6.x86_64
set_rejected: nodejs-6.10.3-2.mga6.x86_64
installed npm-3.10.10-2.mga6.x86_64 is conflicting because of unsatisfied nodejs[== 1:6.10.3-2.mga6]
promoting npm-3.10.10-2.1.mga6.x86_64 because of conflict above
selecting npm-3.10.10-2.1.mga6.x86_64
set_rejected: npm-3.10.10-2.mga6.x86_64
requiring nodejs[== 1:6.11.1-2.1] for npm-3.10.10-2.1.mga6.x86_64
no packages match nodejs[== 1:6.11.1-2.1] (it is either in skip.list or already rejected)
unselecting npm-3.10.10-2.1.mga6.x86_64
adding a reason to already rejected package npm-3.10.10-2.1.mga6.x86_64: unsatisfied nodejs[== 1:6.11.1-2.1]
installed npm-3.10.10-2.mga6.x86_64 is conflicting because of unsatisfied nodejs[== 1:6.10.3-2.mga6]
set_rejected: npm-3.10.10-2.mga6.x86_64
selected nodejs-6.11.1-2.1.mga6.x86_64 is conflicting because of unsatisfied npm[== 1:3.10.10]
promoting npm-3.10.10-2.mga6.i586 npm-3.10.10-2.1.mga6.i586 because of conflict above
no packages match npm|npm (it is either in skip.list or already rejected)
no packages match npm (it is either in skip.list or already rejected)
selected nodejs-6.11.1-2.1.mga6.x86_64 is conflicting because of unsatisfied npm[== 1:3.10.10]
unselecting nodejs-6.11.1-2.1.mga6.x86_64
Le paquetage demandé ne peut pas être installé :
npm-3.10.10-2.1.mga6.x86_64 (car nodejs[== 1:6.11.1-2.1] est non satisfait)

Whiteboard: (none) => feedback

Comment 10 Nicolas Lécureuil 2017-08-20 01:24:05 CEST
i just tried and it installs now.

Can you confirm ?

Whiteboard: feedback => (none)

Comment 11 David Walser 2017-08-20 01:26:04 CEST
Only the release tag changed again, but Nicolas is able to install them and upgrade to them from the core/release versions.

nodejs-6.11.1-3.mga6
nodejs-devel-6.11.1-3.mga6
npm-3.10.10-3.mga6
nodejs-docs-6.11.1-3.mga6

from nodejs-6.11.1-3.mga6.src.rpm
Comment 12 David Walser 2017-08-21 17:53:35 CEST
Nicolas is in the process of updating this again to 6.11.2, as well as providing an update for Mageia 5:
https://nodejs.org/en/blog/release/v6.11.2/

Whiteboard: (none) => feedback

Comment 13 David Walser 2017-08-22 18:51:21 CEST
This is still in progress.  It looks like the current build needs to be removed from mga6 core/updates_testing so it can be resubmitted, otherwise youri is rejecting the upload.

Current package list for Mageia 5 (since it won't be visible on pkgsubmit soon):
libuv1-1.9.0-1.mga5
libuv-devel-1.9.0-1.mga5
libuv-static-devel-1.9.0-1.mga5
libhttp-parser2-2.7.1-1.mga5
libhttp-parser-devel-2.7.1-1.mga5
nodejs-6.11.1-1.mga5
nodejs-devel-6.11.1-1.mga5
npm-3.10.10-1.mga5
nodejs-docs-6.11.1-1.mga5

from SRPMS:
libuv-1.9.0-1.mga5.src.rpm
http-parser-2.7.1-1.mga5.src.rpm
nodejs-6.11.1-1.mga5.src.rpm
Comment 14 Samuel Verschelde 2017-09-06 15:09:17 CEST
Moving 'feedback' from whiteboard to keywords now that madb has been updated to handle that keyword.

Whiteboard: feedback => (none)
Keywords: (none) => feedback


Note You need to log in before you can comment on or make changes to this bug.