Updated nodejs package fixes security vulnerabilities
Publication date: 06 Jan 2014Modification date: 06 Jan 2014
Type: security
Affected Mageia releases : 3
CVE: CVE-2013-4450 , CVE-2013-6639 , CVE-2013-6640
Description
A denial of service flaw was found in the way Node.js handled pipelined
HTTP requests. A remote attacker could use this flaw to send an excessive
amount of HTTP requests over a network connection, causing Node.js to use
an excessive amount of memory and possibly exit when all available memory
is exhausted (CVE-2013-4450).
Denial of service issues in the bundled v8 JavaScript library
(CVE-2013-6639, CVE-2013-6640).
References
- https://bugs.mageia.org/show_bug.cgi?id=11981
- http://blog.nodejs.org/2013/10/22/cve-2013-4450-http-server-pipeline-flood-dos/
- http://blog.nodejs.org/2013/12/19/node-v0-10-24-stable/
- https://rhn.redhat.com/errata/RHSA-2013-1842.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4450
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6639
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6640
SRPMS
3/core
- nodejs-0.10.24-1.mga3