FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-16 19:33:48 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
5a9bbb6e-32d3-11e8-a769-6daaba161086	node.js -- multiple vulnerabilities Node.js reports: Node.js Inspector DNS rebinding vulnerability (CVE-2018-7160) Node.js 6.x and later include a debugger protocol (also known as "inspector") that can be activated by the --inspect and related command line flags. This debugger service was vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. 'path' module regular expression denial of service (CVE-2018-7158) The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. Spaces in HTTP Content-Length header values are ignored (CVE-2018-7159) The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. The HTTP specification does not allow for spaces in the Content-Length value and the Node.js HTTP parser has been brought into line on this particular difference. Discovery 2018-03-21 Entry 2018-03-28 Modified 2018-03-28 node4 < 4.9.0 node6 < 6.14.0 node8 < 8.11.0 node < 9.10.0 https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ CVE-2018-7158 CVE-2018-7159 CVE-2018-7160

VuXML ID

Description

5a9bbb6e-32d3-11e8-a769-6daaba161086

node.js -- multiple vulnerabilities

Node.js reports:

Node.js Inspector DNS rebinding vulnerability (CVE-2018-7160)

Node.js 6.x and later include a debugger protocol (also known as "inspector") that can be activated by the --inspect and related command line flags. This debugger service was vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution.

'path' module regular expression denial of service (CVE-2018-7158)

The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x.

Spaces in HTTP Content-Length header values are ignored (CVE-2018-7159)

The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. The HTTP specification does not allow for spaces in the Content-Length value and the Node.js HTTP parser has been brought into line on this particular difference.

Discovery 2018-03-21
Entry 2018-03-28
Modified 2018-03-28
node4

< 4.9.0

node6

< 6.14.0

node8

< 8.11.0

node

< 9.10.0

https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
CVE-2018-7158
CVE-2018-7159
CVE-2018-7160