Advisories ยป MGASA-2019-0277

Updated nodejs packages fix security vulnerabilities

Publication date: 15 Sep 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-1000381 , CVE-2018-7158 , CVE-2018-7159 , CVE-2018-7160 , CVE-2018-7167 , CVE-2018-12115 , CVE-2018-12116 , CVE-2018-12120 , CVE-2018-12121 , CVE-2018-12122 , CVE-2018-12123 , CVE-2019-5737 , CVE-2019-5739


This update provides nodejs v6.17.1 fixing at least the following security

The c-ares function ares_parse_naptr_reply(), which is used for parsing
NAPTR responses, could be triggered to read memory outside of the given
input buffer (CVE-2017-1000381) 

Fix for 'path' module regular expression denial of service (CVE-2018-7158)

Reject spaces in HTTP Content-Length header values (CVE-2018-7159)

Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)

buffer: Fixes Denial of Service vulnerability where calling Buffer.fill()
could hang (CVE-2018-7167)

buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding

Node.js: HTTP request splitting (CVE-2018-12116)

Node.js: Debugger port 5858 listens on any interface by default

Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)

Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122)

Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)

Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)

Node.js: Denial of Service with keep-alive HTTP connections (CVE-2019-5739)

For other fixes in this update, see the referenced release logs.