[gentoo-announce] [ GLSA 202003-48 ] Node.js: Multiple vulnerabilities - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202003-48 ] Node.js: Multiple vulnerabilities
Date:	Fri, 20 Mar 2020 19:21:59
Message-Id:	`e5b2c688-b02b-a580-b9a8-179db23ffc4e@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202003-48

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Node.js: Multiple vulnerabilities

9

     Date: March 20, 2020

10

     Bugs: #658074, #665656, #672136, #679132, #702988, #708458

11

       ID: 202003-48

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in Node.js, worst of which

19

could allow remote attackers to write arbitrary files.

20

21

Background

22

==========

23

24

Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  net-libs/nodejs             < 12.15.0                 >= 10.19.0

33

                                                           >= 12.15.0

34

35

Description

36

===========

37

38

Multiple vulnerabilities have been discovered in Node.js. Please review

39

the CVE identifiers referenced below for details.

40

41

Impact

42

======

43

44

A remote attacker could possibly write arbitrary files, cause a Denial

45

of Service condition or can conduct HTTP request splitting attacks.

46

47

Workaround

48

==========

49

50

There is no known workaround at this time.

51

52

Resolution

53

==========

54

55

All Node.js <12.x users should upgrade to the latest version:

56

57

  # emerge --sync

58

  # emerge --ask --oneshot --verbose ">=net-libs/nodejs-10.19.0"

59

60

All Node.js 12.x users should upgrade to the latest version:

61

62

  # emerge --sync

63

  # emerge --ask --oneshot --verbose ">=net-libs/nodejs-12.15.0"

64

65

References

66

==========

67

68

[  1 ] CVE-2018-12115

69

       https://nvd.nist.gov/vuln/detail/CVE-2018-12115

70

[  2 ] CVE-2018-12116

71

       https://nvd.nist.gov/vuln/detail/CVE-2018-12116

72

[  3 ] CVE-2018-12121

73

       https://nvd.nist.gov/vuln/detail/CVE-2018-12121

74

[  4 ] CVE-2018-12122

75

       https://nvd.nist.gov/vuln/detail/CVE-2018-12122

76

[  5 ] CVE-2018-12123

77

       https://nvd.nist.gov/vuln/detail/CVE-2018-12123

78

[  6 ] CVE-2018-7161

79

       https://nvd.nist.gov/vuln/detail/CVE-2018-7161

80

[  7 ] CVE-2018-7162

81

       https://nvd.nist.gov/vuln/detail/CVE-2018-7162

82

[  8 ] CVE-2018-7164

83

       https://nvd.nist.gov/vuln/detail/CVE-2018-7164

84

[  9 ] CVE-2018-7167

85

       https://nvd.nist.gov/vuln/detail/CVE-2018-7167

86

[ 10 ] CVE-2019-15604

87

       https://nvd.nist.gov/vuln/detail/CVE-2019-15604

88

[ 11 ] CVE-2019-15605

89

       https://nvd.nist.gov/vuln/detail/CVE-2019-15605

90

[ 12 ] CVE-2019-15606

91

       https://nvd.nist.gov/vuln/detail/CVE-2019-15606

92

[ 13 ] CVE-2019-16777

93

       https://nvd.nist.gov/vuln/detail/CVE-2019-16777

94

[ 14 ] CVE-2019-5737

95

       https://nvd.nist.gov/vuln/detail/CVE-2019-5737

96

[ 15 ] CVE-2019-5739

97

       https://nvd.nist.gov/vuln/detail/CVE-2019-5739

98

99

Availability

100

============

101

102

This GLSA and any updates to it are available for viewing at

103

the Gentoo Security Website:

104

105

 https://security.gentoo.org/glsa/202003-48

106

107

Concerns?

108

=========

109

110

Security is a primary focus of Gentoo Linux and ensuring the

111

confidentiality and security of our users' machines is of utmost

112

importance to us. Any security concerns should be addressed to

113

security@g.o or alternatively, you may file a bug at

114

https://bugs.gentoo.org.

115

116

License

117

=======

118

119

Copyright 2020 Gentoo Foundation, Inc; referenced text

120

belongs to its owner(s).

121

122

The contents of this document are licensed under the

123

Creative Commons - Attribution / Share Alike license.

124

125

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202003-48
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Node.js: Multiple vulnerabilities
9	Date: March 20, 2020
10	Bugs: #658074, #665656, #672136, #679132, #702988, #708458
11	ID: 202003-48
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in Node.js, worst of which
19	could allow remote attackers to write arbitrary files.
20
21	Background
22	==========
23
24	Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 net-libs/nodejs < 12.15.0 >= 10.19.0
33	>= 12.15.0
34
35	Description
36	===========
37
38	Multiple vulnerabilities have been discovered in Node.js. Please review
39	the CVE identifiers referenced below for details.
40
41	Impact
42	======
43
44	A remote attacker could possibly write arbitrary files, cause a Denial
45	of Service condition or can conduct HTTP request splitting attacks.
46
47	Workaround
48	==========
49
50	There is no known workaround at this time.
51
52	Resolution
53	==========
54
55	All Node.js <12.x users should upgrade to the latest version:
56
57	# emerge --sync
58	# emerge --ask --oneshot --verbose ">=net-libs/nodejs-10.19.0"
59
60	All Node.js 12.x users should upgrade to the latest version:
61
62	# emerge --sync
63	# emerge --ask --oneshot --verbose ">=net-libs/nodejs-12.15.0"
64
65	References
66	==========
67
68	[ 1 ] CVE-2018-12115
69	https://nvd.nist.gov/vuln/detail/CVE-2018-12115
70	[ 2 ] CVE-2018-12116
71	https://nvd.nist.gov/vuln/detail/CVE-2018-12116
72	[ 3 ] CVE-2018-12121
73	https://nvd.nist.gov/vuln/detail/CVE-2018-12121
74	[ 4 ] CVE-2018-12122
75	https://nvd.nist.gov/vuln/detail/CVE-2018-12122
76	[ 5 ] CVE-2018-12123
77	https://nvd.nist.gov/vuln/detail/CVE-2018-12123
78	[ 6 ] CVE-2018-7161
79	https://nvd.nist.gov/vuln/detail/CVE-2018-7161
80	[ 7 ] CVE-2018-7162
81	https://nvd.nist.gov/vuln/detail/CVE-2018-7162
82	[ 8 ] CVE-2018-7164
83	https://nvd.nist.gov/vuln/detail/CVE-2018-7164
84	[ 9 ] CVE-2018-7167
85	https://nvd.nist.gov/vuln/detail/CVE-2018-7167
86	[ 10 ] CVE-2019-15604
87	https://nvd.nist.gov/vuln/detail/CVE-2019-15604
88	[ 11 ] CVE-2019-15605
89	https://nvd.nist.gov/vuln/detail/CVE-2019-15605
90	[ 12 ] CVE-2019-15606
91	https://nvd.nist.gov/vuln/detail/CVE-2019-15606
92	[ 13 ] CVE-2019-16777
93	https://nvd.nist.gov/vuln/detail/CVE-2019-16777
94	[ 14 ] CVE-2019-5737
95	https://nvd.nist.gov/vuln/detail/CVE-2019-5737
96	[ 15 ] CVE-2019-5739
97	https://nvd.nist.gov/vuln/detail/CVE-2019-5739
98
99	Availability
100	============
101
102	This GLSA and any updates to it are available for viewing at
103	the Gentoo Security Website:
104
105	https://security.gentoo.org/glsa/202003-48
106
107	Concerns?
108	=========
109
110	Security is a primary focus of Gentoo Linux and ensuring the
111	confidentiality and security of our users' machines is of utmost
112	importance to us. Any security concerns should be addressed to
113	security@g.o or alternatively, you may file a bug at
114	https://bugs.gentoo.org.
115
116	License
117	=======
118
119	Copyright 2020 Gentoo Foundation, Inc; referenced text
120	belongs to its owner(s).
121
122	The contents of this document are licensed under the
123	Creative Commons - Attribution / Share Alike license.
124
125	https://creativecommons.org/licenses/by-sa/2.5