Updated nodejs packages fix security vulnerability
Publication date: 19 Feb 2016Modification date: 19 Feb 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-2086 , CVE-2016-2216
Description
A request smuggling vulnerability was found in Node.js that can be
exploited under certain unspecified circumstances (CVE-2016-2086).
It was reported that HTTP header parsing in Node.js is vulnerable to
response splitting attacks. While Node.js has been protecting against
response splitting attacks by checking for CRLF characters, it is possible
to compose response headers using Unicode characters that decompose to
these characters, bypassing the checks previously in place
(CVE-2016-2216).
References
- https://bugs.mageia.org/show_bug.cgi?id=17779
- https://nodejs.org/en/blog/release/v0.10.42/
- https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
- https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177184.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2086
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2216
SRPMS
5/core
- nodejs-0.10.42-1.mga5