Advisories ยป MGASA-2017-0204

Updated nodejs packages fix security vulnerability

Publication date: 13 Jul 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-5325 , CVE-2016-7099


Node.js has a defect that that may make HTTP response splitting possible
under certain circumstances. If user-input is passed to the reason
argument to writeHead() on an HTTP response, a new-line character may be
used to inject additional responses (CVE-2016-5325).

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47 does
not properly handle wildcards in name fields of X.509 certificates, which
allows man-in-the-middle attackers to spoof servers via a crafted
certificate (CVE-2016-7099).