|
|
Subscribe / Log in / New account

Mageia alert MGASA-2016-0080 (nodejs)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2016-0080: Updated nodejs packages fix security vulnerability 


Date:
    	      Fri, 19 Feb 2016 09:41:08 +0100


Message-ID:
    	      <20160219084108.E24A59F658@duvel.mageia.org>


MGASA-2016-0080 - Updated nodejs packages fix security vulnerability

Publication date: 19 Feb 2016
URL: http://advisories.mageia.org/MGASA-2016-0080.html

Type: security
Affected Mageia releases: 5
CVE: CVE-2016-2086,
     CVE-2016-2216

Description:
A request smuggling vulnerability was found in Node.js that can be
exploited under certain unspecified circumstances (CVE-2016-2086).

It was reported that HTTP header parsing in Node.js is vulnerable to
response splitting attacks. While Node.js has been protecting against
response splitting attacks by checking for CRLF characters, it is possible
to compose response headers using Unicode characters that decompose to
these characters, bypassing the checks previously in place
(CVE-2016-2216).

References:
- https://bugs.mageia.org/show_bug.cgi?id=17779

- https://nodejs.org/en/blog/release/v0.10.42/

- https://nodejs.org/en/blog/vulnerability/february-2016-se...
- https://lists.fedoraproject.org/pipermail/package-announc...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2086

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2216


SRPMS:
- 5/core/nodejs-0.10.42-1.mga5
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds