Bug 21330 - nodejs new security issues fixed upstream in 6.11.1
Summary: nodejs new security issues fixed upstream in 6.11.1
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2017-07-23 21:47 CEST by David Walser
Modified: 2017-11-08 03:48 CET (History)
1 user (show)

See Also:
Source RPM: nodejs-6.10.3-2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-07-23 21:47:10 CEST
Fedora has issued an advisory today (July 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2AXESDBS3WP5K4PFYD3EMDD3R662MMG6/

This follows from the upstream advisory on July 11:
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/

For 6.x, the issues were fixed in 6.11.1:
https://nodejs.org/en/blog/release/v6.11.1/

Mageia 5 and Mageia 6 are also affected.

0.10.x is no longer supported, so we should recommend users upgrade to Mageia 6.
David Walser 2017-07-23 21:47:18 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Nicolas Lécureuil 2017-07-26 18:36:54 CEST
6.11.1 pushed in updates_testing
and pushed in cauldron too

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Nicolas Lécureuil 2017-07-26 18:37:03 CEST

Assignee: mageia => qa-bugs

Comment 2 David Walser 2017-07-26 22:21:14 CEST
Assigning back to Nicolas.  Neither update built successfully.

Assignee: qa-bugs => mageia
Whiteboard: (none) => MGA6TOO
CC: (none) => qa-bugs
Version: 6 => Cauldron

Comment 3 Nicolas Lécureuil 2017-07-27 00:34:19 CEST
let's validate this  the cauldron package will be pushed when rpm will be fixed, it is on my todo, i won't forget.


src.rpm http-parser-2.7.1-1.mga6 and nodejs-6.11.1-1.1.mga6

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Nicolas Lécureuil 2017-07-27 00:34:30 CEST

Assignee: mageia => qa-bugs

Comment 4 David Walser 2017-07-27 01:57:49 CEST
Advisory:
========================

Updated nodejs packages fix security vulnerabilities:

Node.js was susceptible to hash flooding remote DoS attacks as the HashTable
seed was constant across a given released version of Node.js. This was a result
of building with V8 snapshots enabled by default which caused the initially
randomized seed to be overwritten on startup (CVE-2017-11499).

Parsing of NAPTR responses by the bundled c-ares library could be triggered to
read memory outside of the given input buffer through carefully crafted DNS
response packets (CVE-2017-1000381).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
https://nodejs.org/en/blog/release/v6.11.1/
========================

Updated packages in core/updates_testing:
========================
libhttp-parser2-2.7.1-1.mga6
libhttp-parser-devel-2.7.1-1.mga6
nodejs-6.11.1-1.1.mga6
nodejs-devel-6.11.1-1.1.mga6
npm-3.10.10-1.6.11.1.1.mga6
nodejs-docs-6.11.1-1.1.mga6

from SRPMS:
http-parser-2.7.1-1.mga6.src.rpm
nodejs-6.11.1-1.1.mga6.src.rpm
David Walser 2017-07-27 01:58:07 CEST

CC: qa-bugs => (none)

Comment 5 David Walser 2017-07-29 23:18:52 CEST
Nicolas is working on fixing dependency issues from the update.  Adding the feedback marker until that's completed.  Note to self also to add a bit to the advisory about Mageia 5 users should update to Mageia 6 as 0.10.x is unsupported.

Whiteboard: (none) => feedback

Comment 6 Nicolas Lécureuil 2017-08-11 01:27:24 CEST
new src.rpm nodejs-6.11.1-1.3.mga6 ( the install issue )

CC: (none) => mageia

Comment 7 David Walser 2017-08-11 02:08:57 CEST
Advisory:
========================

Updated nodejs packages fix security vulnerabilities:

Node.js was susceptible to hash flooding remote DoS attacks as the HashTable
seed was constant across a given released version of Node.js. This was a result
of building with V8 snapshots enabled by default which caused the initially
randomized seed to be overwritten on startup (CVE-2017-11499).

Parsing of NAPTR responses by the bundled c-ares library could be triggered to
read memory outside of the given input buffer through carefully crafted DNS
response packets (CVE-2017-1000381).

Note that Mageia 5 is also affected, but the 0.10.x branch of nodejs is no
longer supported.  Users of nodejs should upgrade to Mageia 6.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
https://nodejs.org/en/blog/release/v6.11.1/
========================

Updated packages in core/updates_testing:
========================
libhttp-parser2-2.7.1-1.mga6
libhttp-parser-devel-2.7.1-1.mga6
nodejs-6.11.1-1.8.mga6
nodejs-devel-6.11.1-1.8.mga6
npm-3.10.10-1.8.mga6
nodejs-docs-6.11.1-1.8.mga6

from SRPMS:
http-parser-2.7.1-1.mga6.src.rpm
nodejs-6.11.1-1.8.mga6.src.rpm
David Walser 2017-08-11 02:09:03 CEST

Whiteboard: feedback => (none)

Comment 8 David Walser 2017-08-12 00:11:03 CEST
Package was rebuilt to change the release tag for some reason.

nodejs-6.11.1-2.1.mga6
nodejs-devel-6.11.1-2.1.mga6
npm-3.10.10-2.1.mga6
nodejs-docs-6.11.1-2.1.mga6

from nodejs-6.11.1-2.1.mga6.src.rpm
Comment 9 Manuel Hiebel 2017-08-16 20:55:59 CEST
still impossible to update 

# urpmi --debug nodejs
(...)
getting exclusive lock on rpm
search_packages: found nodejs-6.10.3-2.mga6.x86_64 matching nodejs
search_packages: found nodejs-6.11.1-2.1.mga6.x86_64 matching nodejs
found package(s): nodejs-6.10.3-2.mga6.x86_64 nodejs-6.11.1-2.1.mga6.x86_64
opening rpmdb (root=, write=)
chosen nodejs-6.11.1-2.1.mga6.x86_64 for nodejs|nodejs
selecting nodejs-6.11.1-2.1.mga6.x86_64
set_rejected: nodejs-6.10.3-2.mga6.x86_64
installed npm-3.10.10-2.mga6.x86_64 is conflicting because of unsatisfied nodejs[== 1:6.10.3-2.mga6]
promoting npm-3.10.10-2.1.mga6.x86_64 because of conflict above
selecting npm-3.10.10-2.1.mga6.x86_64
set_rejected: npm-3.10.10-2.mga6.x86_64
requiring nodejs[== 1:6.11.1-2.1] for npm-3.10.10-2.1.mga6.x86_64
no packages match nodejs[== 1:6.11.1-2.1] (it is either in skip.list or already rejected)
unselecting npm-3.10.10-2.1.mga6.x86_64
adding a reason to already rejected package npm-3.10.10-2.1.mga6.x86_64: unsatisfied nodejs[== 1:6.11.1-2.1]
installed npm-3.10.10-2.mga6.x86_64 is conflicting because of unsatisfied nodejs[== 1:6.10.3-2.mga6]
set_rejected: npm-3.10.10-2.mga6.x86_64
selected nodejs-6.11.1-2.1.mga6.x86_64 is conflicting because of unsatisfied npm[== 1:3.10.10]
promoting npm-3.10.10-2.mga6.i586 npm-3.10.10-2.1.mga6.i586 because of conflict above
no packages match npm|npm (it is either in skip.list or already rejected)
no packages match npm (it is either in skip.list or already rejected)
selected nodejs-6.11.1-2.1.mga6.x86_64 is conflicting because of unsatisfied npm[== 1:3.10.10]
unselecting nodejs-6.11.1-2.1.mga6.x86_64
Le paquetage demandé ne peut pas être installé :
npm-3.10.10-2.1.mga6.x86_64 (car nodejs[== 1:6.11.1-2.1] est non satisfait)

Whiteboard: (none) => feedback

Comment 10 Nicolas Lécureuil 2017-08-20 01:24:05 CEST
i just tried and it installs now.

Can you confirm ?

Whiteboard: feedback => (none)

Comment 11 David Walser 2017-08-20 01:26:04 CEST
Only the release tag changed again, but Nicolas is able to install them and upgrade to them from the core/release versions.

nodejs-6.11.1-3.mga6
nodejs-devel-6.11.1-3.mga6
npm-3.10.10-3.mga6
nodejs-docs-6.11.1-3.mga6

from nodejs-6.11.1-3.mga6.src.rpm
Comment 12 David Walser 2017-08-21 17:53:35 CEST
Nicolas is in the process of updating this again to 6.11.2, as well as providing an update for Mageia 5:
https://nodejs.org/en/blog/release/v6.11.2/

Whiteboard: (none) => feedback

Comment 13 David Walser 2017-08-22 18:51:21 CEST
This is still in progress.  It looks like the current build needs to be removed from mga6 core/updates_testing so it can be resubmitted, otherwise youri is rejecting the upload.

Current package list for Mageia 5 (since it won't be visible on pkgsubmit soon):
libuv1-1.9.0-1.mga5
libuv-devel-1.9.0-1.mga5
libuv-static-devel-1.9.0-1.mga5
libhttp-parser2-2.7.1-1.mga5
libhttp-parser-devel-2.7.1-1.mga5
nodejs-6.11.1-1.mga5
nodejs-devel-6.11.1-1.mga5
npm-3.10.10-1.mga5
nodejs-docs-6.11.1-1.mga5

from SRPMS:
libuv-1.9.0-1.mga5.src.rpm
http-parser-2.7.1-1.mga5.src.rpm
nodejs-6.11.1-1.mga5.src.rpm
Comment 14 Samuel Verschelde 2017-09-06 15:09:17 CEST
Moving 'feedback' from whiteboard to keywords now that madb has been updated to handle that keyword.

Whiteboard: feedback => (none)
Keywords: (none) => feedback

Comment 15 David Walser 2017-11-08 03:48:56 CET
Fedora has issued an advisory today (November 7):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YIOZ3PHJMBMHJGZPHUHUKZTSXF3GWNWG/

The issue (CVE-2017-14919) is fixed in 6.11.5:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/

What's not clear to me is if the issue was in zlib itself, or nodejs's zlib module.  As we don't use the bundled zlib (we build against the system one), we may not be affected.

Note You need to log in before you can comment on or make changes to this bug.