{
  "schema_version": "1.7.0",
  "id": "MGASA-2019-0277",
  "published": "2019-09-15T13:24:16Z",
  "modified": "2022-02-17T18:21:47Z",
  "summary": "Updated nodejs packages fix security vulnerabilities",
  "details": "This update provides nodejs v6.17.1 fixing at least the following security\nissues:\n\nThe c-ares function ares_parse_naptr_reply(), which is used for parsing\nNAPTR responses, could be triggered to read memory outside of the given\ninput buffer (CVE-2017-1000381) \n\nFix for 'path' module regular expression denial of service (CVE-2018-7158)\n\nReject spaces in HTTP Content-Length header values (CVE-2018-7159)\n\nFix for inspector DNS rebinding vulnerability (CVE-2018-7160)\n\nbuffer: Fixes Denial of Service vulnerability where calling Buffer.fill()\ncould hang (CVE-2018-7167)\n\nbuffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding\n(CVE-2018-12115)\n\nNode.js: HTTP request splitting (CVE-2018-12116)\n\nNode.js: Debugger port 5858 listens on any interface by default\n(CVE-2018-12120)\n\nNode.js: Denial of Service with large HTTP headers (CVE-2018-12121)\n\nNode.js: Slowloris HTTP Denial of Service (CVE-2018-12122)\n\nNode.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)\n\nNode.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)\n\nNode.js: Denial of Service with keep-alive HTTP connections (CVE-2019-5739)\n\nFor other fixes in this update, see the referenced release logs.\n",
  "upstream": [
    "CVE-2017-1000381",
    "CVE-2018-7158",
    "CVE-2018-7159",
    "CVE-2018-7160",
    "CVE-2018-7167",
    "CVE-2018-12115",
    "CVE-2018-12116",
    "CVE-2018-12120",
    "CVE-2018-12121",
    "CVE-2018-12122",
    "CVE-2018-12123",
    "CVE-2019-5737",
    "CVE-2019-5739"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2019-0277.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=21330"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.11.0/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.11.1/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.11.2/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.11.3/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.11.4/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.12.0/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.12.1/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.12.2/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.12.3/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.13.0/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.13.1/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.14.0/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.14.1/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.14.2/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.14.3/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.15.0/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.15.1/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.16.0/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.17.0/"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v6.17.1/"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:6",
        "name": "nodejs",
        "purl": "pkg:rpm/mageia/nodejs?arch=source&distro=mageia-6"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.17.1-8.mga6"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:6",
        "name": "http-parser",
        "purl": "pkg:rpm/mageia/http-parser?arch=source&distro=mageia-6"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.2-1.mga6"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:6",
        "name": "libuv",
        "purl": "pkg:rpm/mageia/libuv?arch=source&distro=mageia-6"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.16.1-1.mga6"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}