Advisories ยป MGASA-2014-0516

Updated nodejs package fixes security vulnerabilities

Publication date: 09 Dec 2014
Modification date: 09 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-5256 , CVE-2013-6668


Updated nodejs package fixes security vulnerabilities:

A memory corruption vulnerability, which results in a denial-of-service, was
identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In
certain circumstances, a particularly deep recursive workload that may trigger
a GC and receive an interrupt may overflow the stack and result in a
segmentation fault. For instance, if your work load involves successive
JSON.parse calls and the parsed objects are significantly deep, you may
experience the process aborting while parsing (CVE-2014-5256).

Multiple unspecified vulnerabilities in Google V8 before, as used
in Node.js before 0.10.31, allow attackers to cause a denial of service or
possibly have other impact via unknown vectors (CVE-2013-6668).

The nodejs package has been updated to version 0.10.33 to fix these issues
as well as several other bugs.