svn commit: r561590 - head/security/vuxml
Bradley T. Hughes
bhughes at FreeBSD.org
Thu Jan 14 20:37:36 UTC 2021
Author: bhughes
Date: Thu Jan 14 20:37:35 2021
New Revision: 561590
URL: https://svnweb.freebsd.org/changeset/ports/561590
Log:
security/vuxml: document Node.js January 2021 Security Releases
https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
Sponsored by: Miles AS
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Jan 14 20:25:50 2021 (r561589)
+++ head/security/vuxml/vuln.xml Thu Jan 14 20:37:35 2021 (r561590)
@@ -58,6 +58,52 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="08b553ed-537a-11eb-be6e-0022489ad614">
+ <topic>Node.js -- January 2021 Security Releases</topic>
+ <affects>
+ <package>
+ <name>node10</name>
+ <range><lt>10.23.1</lt></range>
+ </package>
+ <package>
+ <name>node12</name>
+ <range><lt>12.20.1</lt></range>
+ </package>
+ <package>
+ <name>node14</name>
+ <range><lt>14.15.4</lt></range>
+ </package>
+ <package>
+ <name>node</name>
+ <range><lt>15.5.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Node.js reports:</p>
+ <blockquote cite="https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/">
+ <h1>use-after-free in TLSWrap (High) (CVE-2020-8265)</h1>
+ <p>Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.</p>
+ <h1>HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287)</h1>
+ <p>Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.</p>
+ <h1>OpenSSL - EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)</h1>
+ <p>iThis is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/</url>
+ <url>https://www.openssl.org/news/secadv/20201208.txt</url>
+ <cvename>CVE-2020-8265</cvename>
+ <cvename>CVE-2020-8287</cvename>
+ <cvename>CVE-2020-1971</cvename>
+ </references>
+ <dates>
+ <discovery>2021-01-04</discovery>
+ <entry>2021-01-14</entry>
+ </dates>
+ </vuln>
+
<vuln vid="0a8ebf4a-5660-11eb-b4e2-001b217b3468">
<topic>Gitlab -- vulnerability</topic>
<affects>
More information about the svn-ports-all
mailing list