FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
c0c1834c-9761-11eb-acfd-0022489ad614Node.js -- April 2021 Security Releases

Node.js reports:

OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) (CVE-2021-3450)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

OpenSSL - NULL pointer deref in signature_algorithms processing (High) (CVE-2021-3449)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

npm upgrade - Update y18n to fix Prototype-Pollution (High) (CVE-2020-7774)

This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh


Discovery 2021-04-06
Entry 2021-04-07
node10
< 10.24.1

node12
< 12.22.1

node14
< 14.16.1

node
< 15.14.0

https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/
https://www.openssl.org/news/secadv/20210325.txt
https://github.com/advisories/GHSA-c4w7-xm78-47vh
CVE-2021-3450
CVE-2021-3449
CVE-2020-7774
11fcfa8f-ac64-11ea-9dab-000d3ab229d6Node.js -- June 2020 Security Releases

Node.js reports:

Updates are now available for all supported Node.js release lines for the following issues.

TLS session reuse can lead to host certificate verification bypass (High) (CVE-2020-8172)

The 'session' event could be emitted before the 'secureConnect' event. It should not be, because the connection may fail to be authorized. If it was saved an authorized connection could be established later with the session ticket. Note that the https agent caches sessions, so is vulnerable to this.

The 'session' event will now only be emitted after the 'secureConnect' event, and only for authorized connections.

HTTP/2 Large Settings Frame DoS (Low) (CVE-2020-11080)

Receiving unreasonably large HTTP/2 SETTINGS frames can consume 100% CPU to process all the settings, blocking all other activities until complete.

The HTTP/2 session frame is limited to 32 settings by default. This can be configured if necessary using the maxSettings option.

napi_get_value_string_*() allows various kinds of memory corruption (High) (CVE-2020-8174)

Calling napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() with a non-NULL buf, and a bufsize of 0 will cause the entire string value to be written to buf, probably overrunning the length of the buffer.

A exploit has not been reported and it may be difficult but the following is suggested:

  • All users of LTS Node.js versions should update to the versions announced in this security post. This will address the issue for any non pre-built add-on.
  • Maintainers who support EOL Node.js versions and/or build against a version of Node.js that did not support N-API internally should update to use the new versions of node-addon-api 1.x and 2.x that will be released soon after this announcement.

ICU-20958 Prevent SEGV_MAPERR in append (High) (CVE-2020-10531)

An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.

Fix was applied to 10.x in an abundance of caution, even though there is no known way to trigger the overflow in 10.x.


Discovery 2020-06-02
Entry 2020-06-12
node
< 14.4.0

node12
< 12.18.0

node10
< 10.21.0

https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/
CVE-2020-8174
CVE-2020-8172
CVE-2020-10531
CVE-2020-11080
0032400f-624f-11ea-b495-000d3ab229d6Node.js -- multiple vulnerabilities

Node.js reports:

Updates are now available for all active Node.js release lines for the following issues.

HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)

Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system.

HTTP header values do not have trailing OWS trimmed (High) (CVE-2019-15606)

Optional whitespace should be trimmed from HTTP header values. Its presence may allow attackers to bypass security checks based on HTTP header values.

Remotely trigger an assertion on a TLS server with a malformed certificate string (High) (CVE-2019-15604)

Connecting to a NodeJS TLS server with a client certificate that has a type 19 string in its subjectAltName will crash the TLS server if it tries to read the peer certificate.

Strict HTTP header parsing (None)

Increase the strictness of HTTP header parsing. There are no known vulnerabilities addressed, but lax HTTP parsing has historically been a source of problems. Some commonly used sites are known to generate invalid HTTP headers, a --insecure-http-parser CLI option or insecureHTTPParser http option can be used if necessary for interoperability, but is not recommended.


Discovery 2020-02-06
Entry 2020-03-09
node
< 13.8.0

node12
< 12.15.0

node10
< 10.19.0

https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
CVE-2019-15605
CVE-2019-15606
CVE-2019-15604
4ca5894c-f7f1-11ea-8ff8-0022489ad614Node.js -- September 2020 Security Releases

Node.js reports:

Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues.

HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201)

Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.

Impacts:

  • All versions of the 14.x and 12.x releases line

Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251)

Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout with a default value of 0 which means it is disabled by default. This should be set when Node.js is used as an edge server, for more details refer to the documentation.

Impacts:

  • All versions of the 14.x release line

fs.realpath.native on may cause buffer overflow (Medium) (CVE-2020-8252)

libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

Impacts:

  • All versions of the 10.x release line
  • All versions of the 12.x release line
  • All versions of the 14.x release line before 14.9.0

Discovery 2020-09-08
Entry 2020-09-16
node
< 14.11.0

node12
< 12.18.4

node10
< 10.22.1

https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
CVE-2020-8201
CVE-2020-8251
CVE-2020-8252
c97a940b-c392-11e9-bb38-000d3ab229d6Node.js -- multiple vulnerabilities

Node.js reports:

Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.

Updates are now available for all active Node.js release lines, including Linux ARMv6 builds for Node.js 8.x (which had been delayed).

We recommend that all Node.js users upgrade to a version listed below as soon as possible.

Vulnerabilities Fixed

Impact: All versions of Node.js 8 (LTS "Carbon"), Node.js 10 (LTS "Dubnium"), and Node.js 12 (Current) are vulnerable to the following:

  • CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9512 "Ping Flood": The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9513 "Resource Loop": The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
  • CVE-2019-9514 "Reset Flood": The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
  • CVE-2019-9515 "Settings Flood": The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9516 "0-Length Headers Leak": The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
  • CVE-2019-9517 "Internal Data Buffering": The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
  • CVE-2019-9518 "Empty Frames Flood": The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)

Discovery 2019-08-16
Entry 2019-08-21
node
< 12.8.1

node10
< 10.16.3

node8
< 8.16.1

https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
CVE-2019-9511
CVE-2019-9512
CVE-2019-9513
CVE-2019-9514
CVE-2019-9515
CVE-2019-9516
CVE-2019-9517
CVE-2019-9518
08b553ed-537a-11eb-be6e-0022489ad614Node.js -- January 2021 Security Releases

Node.js reports:

use-after-free in TLSWrap (High) (CVE-2020-8265)

Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287)

Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

OpenSSL - EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)

iThis is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt.


Discovery 2021-01-04
Entry 2021-01-14
node10
< 10.23.1

node12
< 12.20.1

node14
< 14.15.4

node
< 15.5.1

https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
https://www.openssl.org/news/secadv/20201208.txt
CVE-2020-8265
CVE-2020-8287
CVE-2020-1971
2f3cd69e-7dee-11eb-b92e-0022489ad614Node.js -- February 2021 Security Releases

Node.js reports:

HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (Critical) (CVE-2021-22883)

Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

DNS rebinding in --inspect (CVE-2021-22884)

Affected Node.js versions are vulnerable to a DNS rebinding attack when the whitelist includes "localhost6". When "localhost6" is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the "localhost6" domain. As long as the attacker uses the "localhost6" domain, they can still apply the attack described in CVE-2018-7160.

OpenSSL - Integer overflow in CipherUpdate (CVE-2021-23840)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt


Discovery 2021-02-23
Entry 2021-03-09
node10
< 10.24.0

node12
< 12.21.0

node14
< 14.16.0

node
< 15.10.0

https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
CVE-2021-22883
CVE-2021-22884
CVE-2021-23840
b71d7193-3c54-11e9-a3f9-00155d006b02Node.js -- multiple vulnerabilities

Node.js reports:

Updates are now available for all active Node.js release lines. In addition to fixes for security flaws in Node.js, they also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2r which contains a fix for a moderate severity security vulnerability.

For these releases, we have decided to withhold the fix for the Misinterpretation of Input (CWE-115) flaw mentioned in the original announcement. This flaw is very low severity and we are not satisfied that we had a complete and stable fix ready for release. We will be seeking to address this flaw via alternate mechanisms in the near future. In addition, we have introduced an additional CVE for a change in Node.js 6 that we have decided to classify as a Denial of Service (CWE-400) flaw.

We recommend that all Node.js users upgrade to a version listed below as soon as possible.

OpenSSL: 0-byte record padding oracle (CVE-2019-1559)

OpenSSL 1.0.2r contains a fix for CVE-2019-1559 and is included in the releases for Node.js versions 6 and 8 only. Node.js 10 and 11 are not impacted by this vulnerability as they use newer versions of OpenSSL which do not contain the flaw.

Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data.

Only TLS connections using certain ciphersuites executing under certain conditions are exploitable. We are currently unable to determine whether the use of OpenSSL in Node.js exposes this vulnerability. We are taking a cautionary approach and recommend the same for users. For more information, see the advisory and a detailed write-up by the reporters of the vulnerability.


Discovery 2019-02-28
Entry 2019-03-03
node
< 11.10.1

node10
< 10.15.2

node8
< 8.15.1

node6
< 6.17.0

https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
CVE-2019-5737
CVE-2019-5739
CVE-2019-1559
2a86f45a-fc3c-11e8-a414-00155d006b02node.js -- multiple vulnerabilities

Node.js reports:

Updates are now available for all active Node.js release lines. These include fixes for the vulnerabilities identified in the initial announcement. They also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2q, and upgrades of Node.js 10 and 11 to OpenSSL 1.1.0j.

We recommend that all Node.js users upgrade to a version listed below as soon as possible.

Debugger port 5858 listens on any interface by default (CVE-2018-12120)

All versions of Node.js 6 are vulnerable and the severity is HIGH. When the debugger is enabled with node --debug or node debug, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as node --debug=localhost. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.

Denial of Service with large HTTP headers (CVE-2018-12121)

All versions of 6 and later are vulnerable and the severity is HIGH. By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.

The total size of HTTP headers received by Node.js now must not exceed 8192 bytes.

"Slowloris" HTTP Denial of Service (CVE-2018-12122)

All versions of Node.js 6 and later are vulnerable and the severity is LOW. An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer.

A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service.

Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)

All versions of Node.js 6 and later are vulnerable and the severity is LOW. If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

HTTP request splitting (CVE-2018-12116)

Node.js 6 and 8 are vulnerable and the severity is MEDIUM. If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.

OpenSSL Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side-channel attack. An attacker could use variations in the signing algorithm to recover the private key.

OpenSSL Timing vulnerability in DSA signature generation (CVE-2018-0734)

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side-channel attack. An attacker could use variations in the signing algorithm to recover the private key.

OpenSSL Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)

OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side-channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key.


Discovery 2018-11-27
Entry 2018-12-10
node6
< 6.15.0

node8
< 8.14.0

node10
< 10.14.0

node
< 11.3.0

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
CVE-2018-12120
CVE-2018-12121
CVE-2018-12122
CVE-2018-12123
CVE-2018-12116
CVE-2018-0735
CVE-2018-0734
CVE-2018-5407