{ "schema_version": "1.7.0", "id": "MGASA-2015-0186", "published": "2015-05-05T13:36:50Z", "modified": "2015-05-05T13:17:56Z", "summary": "Updated nodejs packages fix security vulnerabilities", "details": "Updated nodejs package fixes security vulnerability:\n\nIt was found that libuv does not call setgoups before calling setuid/setgid.\nThis may potentially allow an attacker to gain elevated privileges\n(CVE-2015-0278).\n\nThe libuv library is bundled with nodejs, and a fixed version of libuv is\nincluded with nodejs as of version 0.10.37. The nodejs package has been\nupdated to version 0.10.38 to fix this issue, as well as several other bugs.\n", "upstream": [ "CVE-2015-0278" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2015-0186.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=15405" }, { "type": "WEB", "url": "http://blog.nodejs.org/2014/12/17/node-v0-10-34-stable/" }, { "type": "WEB", "url": "http://blog.nodejs.org/2014/12/23/node-v0-10-35-stable/" }, { "type": "WEB", "url": "http://blog.nodejs.org/2015/01/26/node-v0-10-36-stable/" }, { "type": "WEB", "url": "http://blog.nodejs.org/2015/03/14/node-v0-10-37-stable/" }, { "type": "WEB", "url": "http://blog.nodejs.org/2015/03/23/node-v0-10-38-maintenance/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150526.html" } ], "affected": [ { "package": { "ecosystem": "Mageia:4", "name": "nodejs", "purl": "pkg:rpm/mageia/nodejs?arch=source&distro=mageia-4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.10.38-1.mga4" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }