FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-19 19:12:13 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
bea84a7a-e0c9-11e7-b4f3-11baa0c2df21	node.js -- Data Confidentiality/Integrity Vulnerability, December 2017 Node.js reports: Data Confidentiality/Integrity Vulnerability - CVE-2017-15896 Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption. Uninitialized buffer vulnerability - CVE-2017-15897 Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases. Also included in OpenSSL update - CVE 2017-3738 Note that CVE 2017-3738 of OpenSSL-1.0.2 affected Node but it was low severity. Discovery 2017-12-08 Entry 2017-12-14 node4 < 4.8.7 node6 < 6.12.2 node8 < 8.9.3 node < 9.2.1 https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ CVE-2017-15896 CVE-2017-15897 CVE-2017-3738
5a9bbb6e-32d3-11e8-a769-6daaba161086	node.js -- multiple vulnerabilities Node.js reports: Node.js Inspector DNS rebinding vulnerability (CVE-2018-7160) Node.js 6.x and later include a debugger protocol (also known as "inspector") that can be activated by the --inspect and related command line flags. This debugger service was vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. 'path' module regular expression denial of service (CVE-2018-7158) The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. Spaces in HTTP Content-Length header values are ignored (CVE-2018-7159) The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. The HTTP specification does not allow for spaces in the Content-Length value and the Node.js HTTP parser has been brought into line on this particular difference. Discovery 2018-03-21 Entry 2018-03-28 Modified 2018-03-28 node4 < 4.9.0 node6 < 6.14.0 node8 < 8.11.0 node < 9.10.0 https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ CVE-2018-7158 CVE-2018-7159 CVE-2018-7160

VuXML ID

Description

bea84a7a-e0c9-11e7-b4f3-11baa0c2df21

node.js -- Data Confidentiality/Integrity Vulnerability, December 2017

Node.js reports:

Data Confidentiality/Integrity Vulnerability - CVE-2017-15896

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.

Uninitialized buffer vulnerability - CVE-2017-15897

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.

Also included in OpenSSL update - CVE 2017-3738

Note that CVE 2017-3738 of OpenSSL-1.0.2 affected Node but it was low severity.

Discovery 2017-12-08
Entry 2017-12-14
node4

< 4.8.7

node6

< 6.12.2

node8

< 8.9.3

node

< 9.2.1

https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
CVE-2017-15896
CVE-2017-15897
CVE-2017-3738

5a9bbb6e-32d3-11e8-a769-6daaba161086

node.js -- multiple vulnerabilities

Node.js reports:

Node.js Inspector DNS rebinding vulnerability (CVE-2018-7160)

Node.js 6.x and later include a debugger protocol (also known as "inspector") that can be activated by the --inspect and related command line flags. This debugger service was vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution.

'path' module regular expression denial of service (CVE-2018-7158)

The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x.

Spaces in HTTP Content-Length header values are ignored (CVE-2018-7159)

The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. The HTTP specification does not allow for spaces in the Content-Length value and the Node.js HTTP parser has been brought into line on this particular difference.

Discovery 2018-03-21
Entry 2018-03-28
Modified 2018-03-28
node4

< 4.9.0

node6

< 6.14.0

node8

< 8.11.0

node

< 9.10.0

https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
CVE-2018-7158
CVE-2018-7159
CVE-2018-7160