FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  509146
Date:      2019-08-17
Time:      11:07:33Z
Committer: joneum

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
45b8e2eb-7056-11e8-8fab-63ca6e0e13a2node.js -- multiple vulnerabilities

Node.js reports:

Denial of Service Vulnerability in HTTP/2 (CVE-2018-7161)

All versions of 8.x and later are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. This has been addressed by updating the http2 implementation. Thanks to Jordan Zebor at F5 Networks for reporting this issue.

Denial of Service, nghttp2 dependency (CVE-2018-1000168)

All versions of 9.x and later are vulnerable and the severity is HIGH. Under certain conditions, a malicious client can trigger an uninitialized read (and a subsequent segfault) by sending a malformed ALTSVC frame. This has been addressed through an by updating nghttp2.

Denial of Service Vulnerability in TLS (CVE-2018-7162)

All versions of 9.x and later are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation. Thanks to Jordan Zebor at F5 Networks all of his help investigating this issue with the Node.js team.

Memory exhaustion DoS on v9.x (CVE-2018-7164)

Versions 9.7.0 and later are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour.

Calls to Buffer.fill() and/or Buffer.alloc() may hang (CVE-2018-7167)

Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases.


Discovery 2018-06-12
Entry 2018-06-15
node6
lt 6.14.3

node8
lt 8.11.3

node
lt 10.4.1

https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/
https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/
CVE-2018-7161
CVE-2018-7162
CVE-2018-7164
CVE-2018-7167
CVE-2018-1000168
2a86f45a-fc3c-11e8-a414-00155d006b02node.js -- multiple vulnerabilities

Node.js reports:

Updates are now available for all active Node.js release lines. These include fixes for the vulnerabilities identified in the initial announcement. They also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2q, and upgrades of Node.js 10 and 11 to OpenSSL 1.1.0j.

We recommend that all Node.js users upgrade to a version listed below as soon as possible.

Debugger port 5858 listens on any interface by default (CVE-2018-12120)

All versions of Node.js 6 are vulnerable and the severity is HIGH. When the debugger is enabled with node --debug or node debug, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as node --debug=localhost. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.

Denial of Service with large HTTP headers (CVE-2018-12121)

All versions of 6 and later are vulnerable and the severity is HIGH. By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.

The total size of HTTP headers received by Node.js now must not exceed 8192 bytes.

"Slowloris" HTTP Denial of Service (CVE-2018-12122)

All versions of Node.js 6 and later are vulnerable and the severity is LOW. An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer.

A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service.

Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)

All versions of Node.js 6 and later are vulnerable and the severity is LOW. If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

HTTP request splitting (CVE-2018-12116)

Node.js 6 and 8 are vulnerable and the severity is MEDIUM. If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.

OpenSSL Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side-channel attack. An attacker could use variations in the signing algorithm to recover the private key.

OpenSSL Timing vulnerability in DSA signature generation (CVE-2018-0734)

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side-channel attack. An attacker could use variations in the signing algorithm to recover the private key.

OpenSSL Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)

OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side-channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key.


Discovery 2018-11-27
Entry 2018-12-10
node6
lt 6.15.0

node8
lt 8.14.0

node10
lt 10.14.0

node
lt 11.3.0

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
CVE-2018-12120
CVE-2018-12121
CVE-2018-12122
CVE-2018-12123
CVE-2018-12116
CVE-2018-0735
CVE-2018-0734
CVE-2018-5407
5a9bbb6e-32d3-11e8-a769-6daaba161086node.js -- multiple vulnerabilities

Node.js reports:

Node.js Inspector DNS rebinding vulnerability (CVE-2018-7160)

Node.js 6.x and later include a debugger protocol (also known as "inspector") that can be activated by the --inspect and related command line flags. This debugger service was vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution.

'path' module regular expression denial of service (CVE-2018-7158)

The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x.

Spaces in HTTP Content-Length header values are ignored (CVE-2018-7159)

The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. The HTTP specification does not allow for spaces in the Content-Length value and the Node.js HTTP parser has been brought into line on this particular difference.


Discovery 2018-03-21
Entry 2018-03-28
Modified 2018-03-28
node4
lt 4.9.0

node6
lt 6.14.0

node8
lt 8.11.0

node
lt 9.10.0

https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
CVE-2018-7158
CVE-2018-7159
CVE-2018-7160
bea84a7a-e0c9-11e7-b4f3-11baa0c2df21node.js -- Data Confidentiality/Integrity Vulnerability, December 2017

Node.js reports:

Data Confidentiality/Integrity Vulnerability - CVE-2017-15896

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.

Uninitialized buffer vulnerability - CVE-2017-15897

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.

Also included in OpenSSL update - CVE 2017-3738

Note that CVE 2017-3738 of OpenSSL-1.0.2 affected Node but it was low severity.


Discovery 2017-12-08
Entry 2017-12-14
node4
lt 4.8.7

node6
lt 6.12.2

node8
lt 8.9.3

node
lt 9.2.1

https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
CVE-2017-15896
CVE-2017-15897
CVE-2017-3738
0904e81f-a89d-11e8-afbb-bc5ff4f77b71node.js -- multiple vulnerabilities

Node.js reports:

OpenSSL: Client DoS due to large DH parameter

This fixes a potential denial of service (DoS) attack against client connections by a malicious server. During a TLS communication handshake, where both client and server agree to use a cipher-suite using DH or DHE (Diffie-Hellman, in both ephemeral and non-ephemeral modes), a malicious server can send a very large prime value to the client. Because this has been unbounded in OpenSSL, the client can be forced to spend an unreasonably long period of time to generate a key, potentially causing a denial of service.

OpenSSL: ECDSA key extraction via local side-channel

Attackers with access to observe cache-timing may be able to extract DSA or ECDSA private keys by causing the victim to create several signatures and watching responses. This flaw does not have a CVE due to OpenSSL policy to not assign itself CVEs for local-only vulnerabilities that are more academic than practical. This vulnerability was discovered by Keegan Ryan at NCC Group and impacts many cryptographic libraries including OpenSSL.

Unintentional exposure of uninitialized memory

Only Node.js 10 is impacted by this flaw.

Node.js TSC member Nikita Skovoroda discovered an argument processing flaw that causes Buffer.alloc() to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying encoding can be passed as a number, this is misinterpreted by Buffer's internal "fill" method as the start to a fill operation. This flaw may be abused where Buffer.alloc() arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.

Out of bounds (OOB) write

Node.js TSC member Nikita Skovoroda discovered an OOB write in Buffer that can be used to write to memory outside of a Buffer's memory space. This can corrupt unrelated Buffer objects or cause the Node.js process to crash.

When used with UCS-2 encoding (recognized by Node.js under the names 'ucs2', 'ucs-2', 'utf16le' and 'utf-16le'), Buffer#write() can be abused to write outside of the bounds of a single Buffer. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written.


Discovery 2018-08-16
Entry 2018-08-25
node
lt 10.9.0

node8
lt 8.11.4

node6
lt 6.14.4

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
CVE-2018-0732
CVE-2018-7166
CVE-2018-12115
d7d1cc94-b971-11e7-af3a-f1035dd0da62Node.js -- remote DOS security vulnerability

Node.js reports:

Node.js was susceptible to a remote DoS attack due to a change that came in as part of zlib v1.2.9. In zlib v1.2.9 8 became an invalid value for the windowBits parameter and Node's zlib module will crash or throw an exception (depending on the version)


Discovery 2017-10-17
Entry 2017-10-25
node
lt 8.8.0

node6
ge 6.10.2 lt 6.11.5

node4
ge 4.8.2 lt 4.8.5

https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
CVE-2017-14919
b71d7193-3c54-11e9-a3f9-00155d006b02Node.js -- multiple vulnerabilities

Node.js reports:

Updates are now available for all active Node.js release lines. In addition to fixes for security flaws in Node.js, they also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2r which contains a fix for a moderate severity security vulnerability.

For these releases, we have decided to withhold the fix for the Misinterpretation of Input (CWE-115) flaw mentioned in the original announcement. This flaw is very low severity and we are not satisfied that we had a complete and stable fix ready for release. We will be seeking to address this flaw via alternate mechanisms in the near future. In addition, we have introduced an additional CVE for a change in Node.js 6 that we have decided to classify as a Denial of Service (CWE-400) flaw.

We recommend that all Node.js users upgrade to a version listed below as soon as possible.

OpenSSL: 0-byte record padding oracle (CVE-2019-1559)

OpenSSL 1.0.2r contains a fix for CVE-2019-1559 and is included in the releases for Node.js versions 6 and 8 only. Node.js 10 and 11 are not impacted by this vulnerability as they use newer versions of OpenSSL which do not contain the flaw.

Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data.

Only TLS connections using certain ciphersuites executing under certain conditions are exploitable. We are currently unable to determine whether the use of OpenSSL in Node.js exposes this vulnerability. We are taking a cautionary approach and recommend the same for users. For more information, see the advisory and a detailed write-up by the reporters of the vulnerability.


Discovery 2019-02-28
Entry 2019-03-03
node
lt 11.10.1

node10
lt 10.15.2

node8
lt 8.15.1

node6
lt 6.17.0

https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
CVE-2019-5737
CVE-2019-5739
CVE-2019-1559