USN-4796-1

See a problem?
Source
https://ubuntu.com/security/notices/USN-4796-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/USN-4796-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-4796-1
Related
Published
2021-03-15T21:18:37.270066Z
Modified
2021-03-15T21:18:37.270066Z
Summary
nodejs vulnerabilities
Details

Alexander Minozhenko and James Bunton discovered that Node.js did not properly handle wildcards in name fields of X.509 TLS certificates. An attacker could use this vulnerability to execute a machine-in-the-middle- attack. This issue only affected Ubuntu 14.04 ESM and 16.04 ESM. (CVE-2016-7099)

It was discovered that Node.js incorrectly handled certain NAPTR responses. A remote attacker could possibly use this issue to cause applications using Node.js to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 ESM. (CVE-2017-1000381)

Nikita Skovoroda discovered that Node.js mishandled certain input, leading to an out of bounds write. An attacker could use this vulnerability to cause a denial of service (crash) or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 ESM. (CVE-2018-12115)

Arkadiy Tetelman discovered that Node.js improperly handled certain malformed HTTP requests. An attacker could use this vulnerability to inject unexpected HTTP requests. This issue only affected Ubuntu 18.04 ESM. (CVE-2018-12116)

Jan Maybach discovered that Node.js did not time out if incomplete HTTP/HTTPS headers were received. An attacker could use this vulnerability to cause a denial of service by keeping HTTP/HTTPS connections alive for a long period of time. This issue only affected Ubuntu 18.04 ESM. (CVE-2018-12122)

Martin Bajanik discovered that the url.parse() method would return incorrect results if it received specially crafted input. An attacker could use this vulnerability to spoof the hostname and bypass hostname-specific security controls. This issue only affected Ubuntu 18.04 ESM. (CVE-2018-12123)

It was discovered that Node.js is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser with network access to the system running the Node.js process. This issue only affected Ubuntu 18.04 ESM. (CVE-2018-7160)

It was discovered that the Buffer.fill() and Buffer.alloc() methods improperly handled certain inputs. An attacker could use this vulnerability to cause a denial of service. This issue only affected Ubuntu 18.04 ESM. (CVE-2018-7167)

Marco Pracucci discovered that Node.js mishandled HTTP and HTTPS connections. An attacker could use this vulnerability to cause a denial of service. This issue only affected Ubuntu 18.04 ESM. (CVE-2019-5737)

References

Affected packages

Ubuntu:Pro:14.04:LTS / nodejs

Package

Name
nodejs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.10.25~dfsg2-2ubuntu1.2+esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "nodejs-dev": "0.10.25~dfsg2-2ubuntu1.2+esm1",
            "nodejs-legacy": "0.10.25~dfsg2-2ubuntu1.2+esm1",
            "nodejs": "0.10.25~dfsg2-2ubuntu1.2+esm1"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / nodejs

Package

Name
nodejs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.10.0~dfsg-2ubuntu0.4+esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "nodejs-dev": "8.10.0~dfsg-2ubuntu0.4+esm1",
            "nodejs-doc": "8.10.0~dfsg-2ubuntu0.4+esm1",
            "nodejs": "8.10.0~dfsg-2ubuntu0.4+esm1"
        }
    ]
}

Ubuntu:Pro:16.04:LTS / nodejs

Package

Name
nodejs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.6~dfsg-1ubuntu4.2+esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "nodejs-dev": "4.2.6~dfsg-1ubuntu4.2+esm1",
            "nodejs-legacy": "4.2.6~dfsg-1ubuntu4.2+esm1",
            "nodejs": "4.2.6~dfsg-1ubuntu4.2+esm1"
        }
    ]
}