Changeset View
Changeset View
Standalone View
Standalone View
security/vuxml/vuln.xml
- This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 Lines • Show All 52 Lines • ▼ Show 20 Lines | |||||
Help is also available from ports-security@freebsd.org. | Help is also available from ports-security@freebsd.org. | ||||
Notes: | Notes: | ||||
* Please add new entries to the beginning of this file. | * Please add new entries to the beginning of this file. | ||||
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.) | * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) | ||||
--> | --> | ||||
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> | <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> | ||||
<vuln vid="3eff66c5-66c9-11e7-aa1d-3d2e663cef42"> | |||||
<topic>node.js -- multiple vulnerabilities</topic> | |||||
<affects> | |||||
<package> | |||||
<name>node</name> | |||||
<range><lt>8.1.4</lt></range> | |||||
</package> | |||||
<package> | |||||
<name>node4</name> | |||||
<range><lt>4.8.4</lt></range> | |||||
</package> | |||||
<package> | |||||
<name>node6</name> | |||||
<range><lt>6.11.1</lt></range> | |||||
</package> | |||||
</affects> | |||||
<description> | |||||
<body xmlns="http://www.w3.org/1999/xhtml"> | |||||
<p>Updates are now available for all active Node.js release lines as | |||||
well as the 7.x line. These include the fix for the high severity | |||||
vulnerability identified in the initial announcement, one additional | |||||
lower priority Node.js vulnerability in the 4.x release line, as well | |||||
as some lower priority fixes for Node.js dependencies across the | |||||
current release lines.</p> | |||||
<blockquote cite="https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/"> | |||||
<h2>Constant Hashtable Seeds (CVE pending)</h2> | |||||
<p>Node.js was susceptible to hash flooding remote DoS attacks as the | |||||
HashTable seed was constant across a given released version of | |||||
Node.js. This was a result of building with V8 snapshots enabled by | |||||
default which caused the initially randomized seed to be overwritten | |||||
on startup. Thanks to Jann Horn of Google Project Zero for reporting | |||||
this vulnerability.</p> | |||||
<p>This is a high severity vulnerability and applies to all active | |||||
release lines (4.x, 6.x, 8.x) as well as the 7.x line.</p> | |||||
<h2>http.get with numeric authorization options creates uninitialized | |||||
buffers</h2> | |||||
<p>Application code that allows the auth field of the options object | |||||
used with http.get() to be set to a number can result in an | |||||
uninitialized buffer being created/used as the authentication | |||||
string.</p> | |||||
<p>This is a low severity defect and only applies to the 4.x release | |||||
line.</p> | |||||
</blockquote> | |||||
</body> | |||||
</description> | |||||
<references> | |||||
<url>https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/</url> | |||||
</references> | |||||
<dates> | |||||
<discovery>2017-06-27</discovery> | |||||
<entry>2017-07-12</entry> | |||||
</dates> | |||||
</vuln> | |||||
<vuln vid="b28adc5b-6693-11e7-ad43-f0def16c5c1b"> | <vuln vid="b28adc5b-6693-11e7-ad43-f0def16c5c1b"> | ||||
<topic>nginx -- a specially crafted request might result in an integer overflow</topic> | <topic>nginx -- a specially crafted request might result in an integer overflow</topic> | ||||
<affects> | <affects> | ||||
<package> | <package> | ||||
<name>nginx</name> | <name>nginx</name> | ||||
<range><ge>0.5.6</ge><lt>1.12.1,2</lt></range> | <range><ge>0.5.6</ge><lt>1.12.1,2</lt></range> | ||||
</package> | </package> | ||||
<package> | <package> | ||||
▲ Show 20 Lines • Show All 32,759 Lines • Show Last 20 Lines |