Date: Thu, 14 Jan 2021 20:37:35 +0000 (UTC) From: "Bradley T. Hughes" <bhughes@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r561590 - head/security/vuxml Message-ID: <202101142037.10EKbZhL060316@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bhughes Date: Thu Jan 14 20:37:35 2021 New Revision: 561590 URL: https://svnweb.freebsd.org/changeset/ports/561590 Log: security/vuxml: document Node.js January 2021 Security Releases https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ Sponsored by: Miles AS Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Jan 14 20:25:50 2021 (r561589) +++ head/security/vuxml/vuln.xml Thu Jan 14 20:37:35 2021 (r561590) @@ -58,6 +58,52 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="08b553ed-537a-11eb-be6e-0022489ad614"> + <topic>Node.js -- January 2021 Security Releases</topic> + <affects> + <package> + <name>node10</name> + <range><lt>10.23.1</lt></range> + </package> + <package> + <name>node12</name> + <range><lt>12.20.1</lt></range> + </package> + <package> + <name>node14</name> + <range><lt>14.15.4</lt></range> + </package> + <package> + <name>node</name> + <range><lt>15.5.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Node.js reports:</p> + <blockquote cite="https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/">; + <h1>use-after-free in TLSWrap (High) (CVE-2020-8265)</h1> + <p>Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.</p> + <h1>HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287)</h1> + <p>Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.</p> + <h1>OpenSSL - EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)</h1> + <p>iThis is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt.</p>; + </blockquote> + </body> + </description> + <references> + <url>https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/</url>; + <url>https://www.openssl.org/news/secadv/20201208.txt</url>; + <cvename>CVE-2020-8265</cvename> + <cvename>CVE-2020-8287</cvename> + <cvename>CVE-2020-1971</cvename> + </references> + <dates> + <discovery>2021-01-04</discovery> + <entry>2021-01-14</entry> + </dates> + </vuln> + <vuln vid="0a8ebf4a-5660-11eb-b4e2-001b217b3468"> <topic>Gitlab -- vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101142037.10EKbZhL060316>