Updated nodejs packages fix security vulnerability
Publication date: 13 Jul 2017Modification date: 13 Jul 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-5325 , CVE-2016-7099
Description
Node.js has a defect that that may make HTTP response splitting possible
under certain circumstances. If user-input is passed to the reason
argument to writeHead() on an HTTP response, a new-line character may be
used to inject additional responses (CVE-2016-5325).
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47 does
not properly handle wildcards in name fields of X.509 certificates, which
allows man-in-the-middle attackers to spoof servers via a crafted
certificate (CVE-2016-7099).
References
- https://bugs.mageia.org/show_bug.cgi?id=19550
- https://nodejs.org/en/blog/release/v0.10.47/
- https://nodejs.org/en/blog/release/v0.10.48/
- https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
- https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5325
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7099
SRPMS
5/core
- nodejs-0.10.48-1.mga5