FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-19 20:48:44 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID Description

VuXML ID	Description
2a86f45a-fc3c-11e8-a414-00155d006b02	node.js -- multiple vulnerabilities Node.js reports: Updates are now available for all active Node.js release lines. These include fixes for the vulnerabilities identified in the initial announcement. They also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2q, and upgrades of Node.js 10 and 11 to OpenSSL 1.1.0j. We recommend that all Node.js users upgrade to a version listed below as soon as possible. Debugger port 5858 listens on any interface by default (CVE-2018-12120) All versions of Node.js 6 are vulnerable and the severity is HIGH. When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable. Denial of Service with large HTTP headers (CVE-2018-12121) All versions of 6 and later are vulnerable and the severity is HIGH. By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer. The total size of HTTP headers received by Node.js now must not exceed 8192 bytes. "Slowloris" HTTP Denial of Service (CVE-2018-12122) All versions of Node.js 6 and later are vulnerable and the severity is LOW. An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer. A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123) All versions of Node.js 6 and later are vulnerable and the severity is LOW. If a Node.js application is using `url.parse()` to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect. HTTP request splitting (CVE-2018-12116) Node.js 6 and 8 are vulnerable and the severity is MEDIUM. If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. OpenSSL Timing vulnerability in ECDSA signature generation (CVE-2018-0735) The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side-channel attack. An attacker could use variations in the signing algorithm to recover the private key. OpenSSL Timing vulnerability in DSA signature generation (CVE-2018-0734) The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side-channel attack. An attacker could use variations in the signing algorithm to recover the private key. OpenSSL Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side-channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key. Discovery 2018-11-27 Entry 2018-12-10 node6 < 6.15.0 node8 < 8.14.0 node10 < 10.14.0 node < 11.3.0 https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ CVE-2018-12120 CVE-2018-12121 CVE-2018-12122 CVE-2018-12123 CVE-2018-12116 CVE-2018-0735 CVE-2018-0734 CVE-2018-5407
c97a940b-c392-11e9-bb38-000d3ab229d6	Node.js -- multiple vulnerabilities Node.js reports: Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Updates are now available for all active Node.js release lines, including Linux ARMv6 builds for Node.js 8.x (which had been delayed). We recommend that all Node.js users upgrade to a version listed below as soon as possible. Vulnerabilities Fixed Impact: All versions of Node.js 8 (LTS "Carbon"), Node.js 10 (LTS "Dubnium"), and Node.js 12 (Current) are vulnerable to the following: CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service. CVE-2019-9512 "Ping Flood": The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service. CVE-2019-9513 "Resource Loop": The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service. CVE-2019-9514 "Reset Flood": The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service. CVE-2019-9515 "Settings Flood": The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service. CVE-2019-9516 "0-Length Headers Leak": The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service. CVE-2019-9517 "Internal Data Buffering": The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service. CVE-2019-9518 "Empty Frames Flood": The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google) Discovery 2019-08-16 Entry 2019-08-21 node < 12.8.1 node10 < 10.16.3 node8 < 8.16.1 https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ CVE-2019-9511 CVE-2019-9512 CVE-2019-9513 CVE-2019-9514 CVE-2019-9515 CVE-2019-9516 CVE-2019-9517 CVE-2019-9518
b71d7193-3c54-11e9-a3f9-00155d006b02	Node.js -- multiple vulnerabilities Node.js reports: Updates are now available for all active Node.js release lines. In addition to fixes for security flaws in Node.js, they also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2r which contains a fix for a moderate severity security vulnerability. For these releases, we have decided to withhold the fix for the Misinterpretation of Input (CWE-115) flaw mentioned in the original announcement. This flaw is very low severity and we are not satisfied that we had a complete and stable fix ready for release. We will be seeking to address this flaw via alternate mechanisms in the near future. In addition, we have introduced an additional CVE for a change in Node.js 6 that we have decided to classify as a Denial of Service (CWE-400) flaw. We recommend that all Node.js users upgrade to a version listed below as soon as possible. OpenSSL: 0-byte record padding oracle (CVE-2019-1559) OpenSSL 1.0.2r contains a fix for CVE-2019-1559 and is included in the releases for Node.js versions 6 and 8 only. Node.js 10 and 11 are not impacted by this vulnerability as they use newer versions of OpenSSL which do not contain the flaw. Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data. Only TLS connections using certain ciphersuites executing under certain conditions are exploitable. We are currently unable to determine whether the use of OpenSSL in Node.js exposes this vulnerability. We are taking a cautionary approach and recommend the same for users. For more information, see the advisory and a detailed write-up by the reporters of the vulnerability. Discovery 2019-02-28 Entry 2019-03-03 node < 11.10.1 node10 < 10.15.2 node8 < 8.15.1 node6 < 6.17.0 https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/ CVE-2019-5737 CVE-2019-5739 CVE-2019-1559

2a86f45a-fc3c-11e8-a414-00155d006b02

node.js -- multiple vulnerabilities

Node.js reports:

Updates are now available for all active Node.js release lines. These include fixes for the vulnerabilities identified in the initial announcement. They also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2q, and upgrades of Node.js 10 and 11 to OpenSSL 1.1.0j.

We recommend that all Node.js users upgrade to a version listed below as soon as possible.

Debugger port 5858 listens on any interface by default (CVE-2018-12120)

All versions of Node.js 6 are vulnerable and the severity is HIGH. When the debugger is enabled with node --debug or node debug, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as node --debug=localhost. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.

Denial of Service with large HTTP headers (CVE-2018-12121)

All versions of 6 and later are vulnerable and the severity is HIGH. By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.

The total size of HTTP headers received by Node.js now must not exceed 8192 bytes.

"Slowloris" HTTP Denial of Service (CVE-2018-12122)

All versions of Node.js 6 and later are vulnerable and the severity is LOW. An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer.

A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service.

Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)

All versions of Node.js 6 and later are vulnerable and the severity is LOW. If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

HTTP request splitting (CVE-2018-12116)

Node.js 6 and 8 are vulnerable and the severity is MEDIUM. If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.

OpenSSL Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side-channel attack. An attacker could use variations in the signing algorithm to recover the private key.

OpenSSL Timing vulnerability in DSA signature generation (CVE-2018-0734)

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side-channel attack. An attacker could use variations in the signing algorithm to recover the private key.

OpenSSL Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)

OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side-channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key.

Discovery 2018-11-27
Entry 2018-12-10
node6

< 6.15.0

node8

< 8.14.0

node10

< 10.14.0

node

< 11.3.0

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
CVE-2018-12120
CVE-2018-12121
CVE-2018-12122
CVE-2018-12123
CVE-2018-12116
CVE-2018-0735
CVE-2018-0734
CVE-2018-5407

c97a940b-c392-11e9-bb38-000d3ab229d6

Node.js -- multiple vulnerabilities

Node.js reports:

Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.

Updates are now available for all active Node.js release lines, including Linux ARMv6 builds for Node.js 8.x (which had been delayed).

We recommend that all Node.js users upgrade to a version listed below as soon as possible.

Vulnerabilities Fixed

Impact: All versions of Node.js 8 (LTS "Carbon"), Node.js 10 (LTS "Dubnium"), and Node.js 12 (Current) are vulnerable to the following:

CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9512 "Ping Flood": The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9513 "Resource Loop": The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.

CVE-2019-9514 "Reset Flood": The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

CVE-2019-9515 "Settings Flood": The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9516 "0-Length Headers Leak": The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.

CVE-2019-9517 "Internal Data Buffering": The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

CVE-2019-9518 "Empty Frames Flood": The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)

Discovery 2019-08-16
Entry 2019-08-21
node

< 12.8.1

node10

< 10.16.3

node8

< 8.16.1

https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
CVE-2019-9511
CVE-2019-9512
CVE-2019-9513
CVE-2019-9514
CVE-2019-9515
CVE-2019-9516
CVE-2019-9517
CVE-2019-9518

b71d7193-3c54-11e9-a3f9-00155d006b02

Node.js -- multiple vulnerabilities

Node.js reports:

Updates are now available for all active Node.js release lines. In addition to fixes for security flaws in Node.js, they also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2r which contains a fix for a moderate severity security vulnerability.

For these releases, we have decided to withhold the fix for the Misinterpretation of Input (CWE-115) flaw mentioned in the original announcement. This flaw is very low severity and we are not satisfied that we had a complete and stable fix ready for release. We will be seeking to address this flaw via alternate mechanisms in the near future. In addition, we have introduced an additional CVE for a change in Node.js 6 that we have decided to classify as a Denial of Service (CWE-400) flaw.

We recommend that all Node.js users upgrade to a version listed below as soon as possible.

OpenSSL: 0-byte record padding oracle (CVE-2019-1559)

OpenSSL 1.0.2r contains a fix for CVE-2019-1559 and is included in the releases for Node.js versions 6 and 8 only. Node.js 10 and 11 are not impacted by this vulnerability as they use newer versions of OpenSSL which do not contain the flaw.

Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data.

Only TLS connections using certain ciphersuites executing under certain conditions are exploitable. We are currently unable to determine whether the use of OpenSSL in Node.js exposes this vulnerability. We are taking a cautionary approach and recommend the same for users. For more information, see the advisory and a detailed write-up by the reporters of the vulnerability.

Discovery 2019-02-28
Entry 2019-03-03
node

< 11.10.1

node10

< 10.15.2

node8

< 8.15.1

node6

< 6.17.0

https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
CVE-2019-5737
CVE-2019-5739
CVE-2019-1559