MGASA-2019-0277

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2019-0277.html

Import Source

https://advisories.mageia.org/MGASA-2019-0277.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2019-0277

Related

Published

2019-09-15T13:24:16Z

Modified

2022-02-17T18:21:47Z

Summary

Updated nodejs packages fix security vulnerabilities

Details

This update provides nodejs v6.17.1 fixing at least the following security issues:

The c-ares function aresparsenaptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer (CVE-2017-1000381)

Fix for 'path' module regular expression denial of service (CVE-2018-7158)

Reject spaces in HTTP Content-Length header values (CVE-2018-7159)

Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)

buffer: Fixes Denial of Service vulnerability where calling Buffer.fill() could hang (CVE-2018-7167)

buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115)

Node.js: HTTP request splitting (CVE-2018-12116)

Node.js: Debugger port 5858 listens on any interface by default (CVE-2018-12120)

Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)

Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122)

Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)

Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)

Node.js: Denial of Service with keep-alive HTTP connections (CVE-2019-5739)

For other fixes in this update, see the referenced release logs.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / nodejs

Package

Name: nodejs
Purl: pkg:rpm/mageia/nodejs?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.17.1-8.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / http-parser

Package

Name: http-parser
Purl: pkg:rpm/mageia/http-parser?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.2-1.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / libuv

Package

Name: libuv
Purl: pkg:rpm/mageia/libuv?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.16.1-1.mga6

Ecosystem specific

{
    "section": "core"
}