FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
bea84a7a-e0c9-11e7-b4f3-11baa0c2df21node.js -- Data Confidentiality/Integrity Vulnerability, December 2017

Node.js reports:

Data Confidentiality/Integrity Vulnerability - CVE-2017-15896

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.

Uninitialized buffer vulnerability - CVE-2017-15897

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.

Also included in OpenSSL update - CVE 2017-3738

Note that CVE 2017-3738 of OpenSSL-1.0.2 affected Node but it was low severity.


Discovery 2017-12-08
Entry 2017-12-14
node4
< 4.8.7

node6
< 6.12.2

node8
< 8.9.3

node
< 9.2.1

https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
CVE-2017-15896
CVE-2017-15897
CVE-2017-3738
5a9bbb6e-32d3-11e8-a769-6daaba161086node.js -- multiple vulnerabilities

Node.js reports:

Node.js Inspector DNS rebinding vulnerability (CVE-2018-7160)

Node.js 6.x and later include a debugger protocol (also known as "inspector") that can be activated by the --inspect and related command line flags. This debugger service was vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution.

'path' module regular expression denial of service (CVE-2018-7158)

The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x.

Spaces in HTTP Content-Length header values are ignored (CVE-2018-7159)

The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. The HTTP specification does not allow for spaces in the Content-Length value and the Node.js HTTP parser has been brought into line on this particular difference.


Discovery 2018-03-21
Entry 2018-03-28
Modified 2018-03-28
node4
< 4.9.0

node6
< 6.14.0

node8
< 8.11.0

node
< 9.10.0

https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
CVE-2018-7158
CVE-2018-7159
CVE-2018-7160
3eff66c5-66c9-11e7-aa1d-3d2e663cef42node.js -- multiple vulnerabilities

Updates are now available for all active Node.js release lines as well as the 7.x line. These include the fix for the high severity vulnerability identified in the initial announcement, one additional lower priority Node.js vulnerability in the 4.x release line, as well as some lower priority fixes for Node.js dependencies across the current release lines.

Constant Hashtable Seeds (CVE pending)

Node.js was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup. Thanks to Jann Horn of Google Project Zero for reporting this vulnerability.

This is a high severity vulnerability and applies to all active release lines (4.x, 6.x, 8.x) as well as the 7.x line.

http.get with numeric authorization options creates uninitialized buffers

Application code that allows the auth field of the options object used with http.get() to be set to a number can result in an uninitialized buffer being created/used as the authentication string.

This is a low severity defect and only applies to the 4.x release line.


Discovery 2017-06-27
Entry 2017-07-12
node
< 8.1.4

node4
< 4.8.4

node6
< 6.11.1

https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
28bb6ee5-9b5c-11e6-b799-19bef72f4b7cnode.js -- ares_create_query single byte out of buffer write

Node.js has released new versions containing the following security fix:

The following releases all contain fixes for CVE-2016-5180 "ares_create_query single byte out of buffer write": Node.js v0.10.48 (Maintenance), Node.js v0.12.17 (Maintenance), Node.js v4.6.1 (LTS "Argon")

While this is not a critical update, all users of these release lines should upgrade at their earliest convenience.


Discovery 2016-10-18
Entry 2016-10-26
node010
< 0.10.48

node012
< 0.12.17

node4
< 4.6.1

https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
CVE-2016-5180
ports/213800