FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
c0c1834c-9761-11eb-acfd-0022489ad614Node.js -- April 2021 Security Releases

Node.js reports:

OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) (CVE-2021-3450)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

OpenSSL - NULL pointer deref in signature_algorithms processing (High) (CVE-2021-3449)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

npm upgrade - Update y18n to fix Prototype-Pollution (High) (CVE-2020-7774)

This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh


Discovery 2021-04-06
Entry 2021-04-07
node10
< 10.24.1

node12
< 12.22.1

node14
< 14.16.1

node
< 15.14.0

https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/
https://www.openssl.org/news/secadv/20210325.txt
https://github.com/advisories/GHSA-c4w7-xm78-47vh
CVE-2021-3450
CVE-2021-3449
CVE-2020-7774
08b553ed-537a-11eb-be6e-0022489ad614Node.js -- January 2021 Security Releases

Node.js reports:

use-after-free in TLSWrap (High) (CVE-2020-8265)

Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287)

Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

OpenSSL - EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)

iThis is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt.


Discovery 2021-01-04
Entry 2021-01-14
node10
< 10.23.1

node12
< 12.20.1

node14
< 14.15.4

node
< 15.5.1

https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
https://www.openssl.org/news/secadv/20201208.txt
CVE-2020-8265
CVE-2020-8287
CVE-2020-1971
ad792169-2aa4-11eb-ab71-0022489ad614Node.js -- November 2020 Security Releases

Node.js reports:

Updates are now available for v12.x, v14.x and v15.x Node.js release lines for the following issues.

Denial of Service through DNS request (CVE-2020-8277)

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses.


Discovery 2020-11-16
Entry 2020-11-21
node
< 15.2.1

node14
< 14.15.1

node12
< 12.19.1

https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/
CVE-2020-8277
4ca5894c-f7f1-11ea-8ff8-0022489ad614Node.js -- September 2020 Security Releases

Node.js reports:

Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues.

HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201)

Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.

Impacts:

  • All versions of the 14.x and 12.x releases line

Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251)

Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout with a default value of 0 which means it is disabled by default. This should be set when Node.js is used as an edge server, for more details refer to the documentation.

Impacts:

  • All versions of the 14.x release line

fs.realpath.native on may cause buffer overflow (Medium) (CVE-2020-8252)

libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

Impacts:

  • All versions of the 10.x release line
  • All versions of the 12.x release line
  • All versions of the 14.x release line before 14.9.0

Discovery 2020-09-08
Entry 2020-09-16
node
< 14.11.0

node12
< 12.18.4

node10
< 10.22.1

https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
CVE-2020-8201
CVE-2020-8251
CVE-2020-8252
2f3cd69e-7dee-11eb-b92e-0022489ad614Node.js -- February 2021 Security Releases

Node.js reports:

HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (Critical) (CVE-2021-22883)

Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

DNS rebinding in --inspect (CVE-2021-22884)

Affected Node.js versions are vulnerable to a DNS rebinding attack when the whitelist includes "localhost6". When "localhost6" is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the "localhost6" domain. As long as the attacker uses the "localhost6" domain, they can still apply the attack described in CVE-2018-7160.

OpenSSL - Integer overflow in CipherUpdate (CVE-2021-23840)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt


Discovery 2021-02-23
Entry 2021-03-09
node10
< 10.24.0

node12
< 12.21.0

node14
< 14.16.0

node
< 15.10.0

https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
CVE-2021-22883
CVE-2021-22884
CVE-2021-23840
11fcfa8f-ac64-11ea-9dab-000d3ab229d6Node.js -- June 2020 Security Releases

Node.js reports:

Updates are now available for all supported Node.js release lines for the following issues.

TLS session reuse can lead to host certificate verification bypass (High) (CVE-2020-8172)

The 'session' event could be emitted before the 'secureConnect' event. It should not be, because the connection may fail to be authorized. If it was saved an authorized connection could be established later with the session ticket. Note that the https agent caches sessions, so is vulnerable to this.

The 'session' event will now only be emitted after the 'secureConnect' event, and only for authorized connections.

HTTP/2 Large Settings Frame DoS (Low) (CVE-2020-11080)

Receiving unreasonably large HTTP/2 SETTINGS frames can consume 100% CPU to process all the settings, blocking all other activities until complete.

The HTTP/2 session frame is limited to 32 settings by default. This can be configured if necessary using the maxSettings option.

napi_get_value_string_*() allows various kinds of memory corruption (High) (CVE-2020-8174)

Calling napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() with a non-NULL buf, and a bufsize of 0 will cause the entire string value to be written to buf, probably overrunning the length of the buffer.

A exploit has not been reported and it may be difficult but the following is suggested:

  • All users of LTS Node.js versions should update to the versions announced in this security post. This will address the issue for any non pre-built add-on.
  • Maintainers who support EOL Node.js versions and/or build against a version of Node.js that did not support N-API internally should update to use the new versions of node-addon-api 1.x and 2.x that will be released soon after this announcement.

ICU-20958 Prevent SEGV_MAPERR in append (High) (CVE-2020-10531)

An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.

Fix was applied to 10.x in an abundance of caution, even though there is no known way to trigger the overflow in 10.x.


Discovery 2020-06-02
Entry 2020-06-12
node
< 14.4.0

node12
< 12.18.0

node10
< 10.21.0

https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/
CVE-2020-8174
CVE-2020-8172
CVE-2020-10531
CVE-2020-11080
0032400f-624f-11ea-b495-000d3ab229d6Node.js -- multiple vulnerabilities

Node.js reports:

Updates are now available for all active Node.js release lines for the following issues.

HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)

Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system.

HTTP header values do not have trailing OWS trimmed (High) (CVE-2019-15606)

Optional whitespace should be trimmed from HTTP header values. Its presence may allow attackers to bypass security checks based on HTTP header values.

Remotely trigger an assertion on a TLS server with a malformed certificate string (High) (CVE-2019-15604)

Connecting to a NodeJS TLS server with a client certificate that has a type 19 string in its subjectAltName will crash the TLS server if it tries to read the peer certificate.

Strict HTTP header parsing (None)

Increase the strictness of HTTP header parsing. There are no known vulnerabilities addressed, but lax HTTP parsing has historically been a source of problems. Some commonly used sites are known to generate invalid HTTP headers, a --insecure-http-parser CLI option or insecureHTTPParser http option can be used if necessary for interoperability, but is not recommended.


Discovery 2020-02-06
Entry 2020-03-09
node
< 13.8.0

node12
< 12.15.0

node10
< 10.19.0

https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
CVE-2019-15605
CVE-2019-15606
CVE-2019-15604