FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
b092bd4f-1b16-11ec-9d9d-0022489ad614Node.js -- August 2021 Security Releases

Node.js reports:

cares upgrade - Improper handling of untypical characters in domain names (High) (CVE-2021-22931)

Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of host names returned by Domain Name Servers in the Node.js DNS library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Use after free on close http2 on stream canceling (High) (CVE-2021-22940)

Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.

Incomplete validation of rejectUnauthorized parameter (Low) (CVE-2021-22939)

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.


Discovery 2021-08-11
Entry 2021-09-21
node14
< 14.17.4

node
< 16.6.2

CVE-2021-22931
CVE-2021-22940
CVE-2021-22939
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
11fcfa8f-ac64-11ea-9dab-000d3ab229d6Node.js -- June 2020 Security Releases

Node.js reports:

Updates are now available for all supported Node.js release lines for the following issues.

TLS session reuse can lead to host certificate verification bypass (High) (CVE-2020-8172)

The 'session' event could be emitted before the 'secureConnect' event. It should not be, because the connection may fail to be authorized. If it was saved an authorized connection could be established later with the session ticket. Note that the https agent caches sessions, so is vulnerable to this.

The 'session' event will now only be emitted after the 'secureConnect' event, and only for authorized connections.

HTTP/2 Large Settings Frame DoS (Low) (CVE-2020-11080)

Receiving unreasonably large HTTP/2 SETTINGS frames can consume 100% CPU to process all the settings, blocking all other activities until complete.

The HTTP/2 session frame is limited to 32 settings by default. This can be configured if necessary using the maxSettings option.

napi_get_value_string_*() allows various kinds of memory corruption (High) (CVE-2020-8174)

Calling napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() with a non-NULL buf, and a bufsize of 0 will cause the entire string value to be written to buf, probably overrunning the length of the buffer.

A exploit has not been reported and it may be difficult but the following is suggested:

  • All users of LTS Node.js versions should update to the versions announced in this security post. This will address the issue for any non pre-built add-on.
  • Maintainers who support EOL Node.js versions and/or build against a version of Node.js that did not support N-API internally should update to use the new versions of node-addon-api 1.x and 2.x that will be released soon after this announcement.

ICU-20958 Prevent SEGV_MAPERR in append (High) (CVE-2020-10531)

An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.

Fix was applied to 10.x in an abundance of caution, even though there is no known way to trigger the overflow in 10.x.


Discovery 2020-06-02
Entry 2020-06-12
node
< 14.4.0

node12
< 12.18.0

node10
< 10.21.0

https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/
CVE-2020-8174
CVE-2020-8172
CVE-2020-10531
CVE-2020-11080
08b553ed-537a-11eb-be6e-0022489ad614Node.js -- January 2021 Security Releases

Node.js reports:

use-after-free in TLSWrap (High) (CVE-2020-8265)

Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287)

Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

OpenSSL - EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)

iThis is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt.


Discovery 2021-01-04
Entry 2021-01-14
node10
< 10.23.1

node12
< 12.20.1

node14
< 14.15.4

node
< 15.5.1

https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
https://www.openssl.org/news/secadv/20201208.txt
CVE-2020-8265
CVE-2020-8287
CVE-2020-1971
4ca5894c-f7f1-11ea-8ff8-0022489ad614Node.js -- September 2020 Security Releases

Node.js reports:

Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues.

HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201)

Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.

Impacts:

  • All versions of the 14.x and 12.x releases line

Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251)

Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout with a default value of 0 which means it is disabled by default. This should be set when Node.js is used as an edge server, for more details refer to the documentation.

Impacts:

  • All versions of the 14.x release line

fs.realpath.native on may cause buffer overflow (Medium) (CVE-2020-8252)

libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

Impacts:

  • All versions of the 10.x release line
  • All versions of the 12.x release line
  • All versions of the 14.x release line before 14.9.0

Discovery 2020-09-08
Entry 2020-09-16
node
< 14.11.0

node12
< 12.18.4

node10
< 10.22.1

https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
CVE-2020-8201
CVE-2020-8251
CVE-2020-8252
a9c5e89d-2d15-11ec-8363-0022489ad614Node.js -- October 2021 Security Releases

Node.js reports:

HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959)

The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS).

HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960)

The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.


Discovery 2021-10-12
Entry 2021-10-14
node
< 16.11.1

node14
< 14.18.1

CVE-2021-22959
CVE-2021-22960
https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/
c0c1834c-9761-11eb-acfd-0022489ad614Node.js -- April 2021 Security Releases

Node.js reports:

OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) (CVE-2021-3450)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

OpenSSL - NULL pointer deref in signature_algorithms processing (High) (CVE-2021-3449)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

npm upgrade - Update y18n to fix Prototype-Pollution (High) (CVE-2020-7774)

This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh


Discovery 2021-04-06
Entry 2021-04-07
node10
< 10.24.1

node12
< 12.22.1

node14
< 14.16.1

node
< 15.14.0

https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/
https://www.openssl.org/news/secadv/20210325.txt
https://github.com/advisories/GHSA-c4w7-xm78-47vh
CVE-2021-3450
CVE-2021-3449
CVE-2020-7774
2f3cd69e-7dee-11eb-b92e-0022489ad614Node.js -- February 2021 Security Releases

Node.js reports:

HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (Critical) (CVE-2021-22883)

Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

DNS rebinding in --inspect (CVE-2021-22884)

Affected Node.js versions are vulnerable to a DNS rebinding attack when the whitelist includes "localhost6". When "localhost6" is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the "localhost6" domain. As long as the attacker uses the "localhost6" domain, they can still apply the attack described in CVE-2018-7160.

OpenSSL - Integer overflow in CipherUpdate (CVE-2021-23840)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt


Discovery 2021-02-23
Entry 2021-03-09
node10
< 10.24.0

node12
< 12.21.0

node14
< 14.16.0

node
< 15.10.0

https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
CVE-2021-22883
CVE-2021-22884
CVE-2021-23840
ad792169-2aa4-11eb-ab71-0022489ad614Node.js -- November 2020 Security Releases

Node.js reports:

Updates are now available for v12.x, v14.x and v15.x Node.js release lines for the following issues.

Denial of Service through DNS request (CVE-2020-8277)

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses.


Discovery 2020-11-16
Entry 2020-11-21
node
< 15.2.1

node14
< 14.15.1

node12
< 12.19.1

https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/
CVE-2020-8277
f53dab71-1b15-11ec-9d9d-0022489ad614Node.js -- July 2021 Security Releases (2)

Node.js reports:

Use after free on close http2 on stream canceling (High) (CVE-2021-22930)

Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.


Discovery 2021-07-29
Entry 2021-09-21
node14
< 14.17.4

node
< 16.6.0

CVE-2021-22930
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/
c174118e-1b11-11ec-9d9d-0022489ad614Node.js -- July 2021 Security Releases

Node.js reports:

libuv upgrade - Out of bounds read (Medium) (CVE-2021-22918)

Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes.

Windows installer - Node Installer Local Privilege Escalation (Medium) (CVE-2021-22921)

Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

npm upgrade - ssri Regular Expression Denial of Service (ReDoS) (High) (CVE-2021-27290)

This is a vulnerability in the ssri npm module which may be vulnerable to denial of service attacks.

npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS) (Medium) (CVE-2021-23362)

This is a vulnerability in the hosted-git-info npm module which may be vulnerable to denial of service attacks.


Discovery 2021-07-01
Entry 2021-09-21
node14
< 14.17.2

node
< 16.4.1

CVE-2021-22918
CVE-2021-22921
CVE-2021-27290
CVE-2021-23362
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/