MGASA-2017-0204
- Source
- https://advisories.mageia.org/MGASA-2017-0204.html
- Import Source
- https://advisories.mageia.org/MGASA-2017-0204.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/MGASA-2017-0204
- Related
- Published
- 2017-07-13T09:10:46Z
- Modified
- 2017-07-13T08:46:41Z
- Summary
- Updated nodejs packages fix security vulnerability
- Details
-
Node.js has a defect that that may make HTTP response splitting possible under certain circumstances. If user-input is passed to the reason argument to writeHead() on an HTTP response, a new-line character may be used to inject additional responses (CVE-2016-5325).
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate (CVE-2016-7099).
- References
-
- https://advisories.mageia.org/MGASA-2017-0204.html
- https://bugs.mageia.org/show_bug.cgi?id=19550
- https://nodejs.org/en/blog/release/v0.10.47/
- https://nodejs.org/en/blog/release/v0.10.48/
- https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
- https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html
- Credits
-
-
- Mageia - COORDINATOR
-
Affected packages
Mageia:5 / nodejs
Package
- Name
- nodejs
- Purl
- pkg:rpm/mageia/nodejs?distro=mageia-5