An update for rh-nodejs4-nodejs and rh-nodejs4-http-parser is now available forRed Hat Software Collections.Red Hat Product Security has rated this update as having a security impact ofImportant.

A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Node.js is a platform built on Chrome’s JavaScript runtime for easily buildingfast, scalable network applications. Node.js uses an event-driven, non-blockingI/O model that makes it lightweight and efficient, perfect for data-intensivereal-time applications that run across distributed devices.The following packages have been upgraded to a newer upstream version:rh-nodejs4-nodejs (4.6.2), rh-nodejs4-http-parser (2.7.0). (BZ#1388097)Security Fix(es):* It was found that Node.js’ tls.checkServerIdentity() function did not properlyvalidate server certificates containing wildcards.

A malicious TLS server coulduse this flaw to get a specially crafted certificate accepted by a Node.js TLSclient. (CVE-2016-7099)* It was found that the V8 Zone class was vulnerable to integer overflow whenallocating new memory (Zone::New() and Zone::NewExpand()).

An attacker with theability to manipulate a large zone could crash the application or, potentially,execute arbitrary code with the application privileges. (CVE-2016-1669)* A vulnerability was found in c-ares, a DNS resolver library bundled withNode.js.

A hostname with an escaped trailing dot would have its size calculatedincorrectly, leading to a single byte written beyond the end of a buffer on theheap.

An attacker able to provide such a hostname to an application usingc-ares, could potentially cause that application to crash. (CVE-2016-5180)* It was found that the reason argument in ServerResponse#writeHead() was notproperly validated.

A remote attacker could possibly use this flaw to conduct anHTTP response splitting attack via a specially-crafted HTTP request.(CVE-2016-5325)
Red Hat Software Collections 1 for RHEL 6

SRPMS:
rh-nodejs4-http-parser-2.7.0-2.el6.src.rpm
    MD5: 1be79d043301931e4e2524106586e372SHA-256: 6417783c5027f77eb95240d8c274e50e3c2b2e17e1b20d5d748b227ce7c282c1
rh-nodejs4-nodejs-4.6.2-4.el6.src.rpm
    MD5: cdfb7bdb8475ac453e94f3b06cb77d22SHA-256: 12e266d9332eee35f9a137ada4a6265916b9398ca708dec7704d5204f58caf92
 
x86_64:
rh-nodejs4-http-parser-2.7.0-2.el6.x86_64.rpm
    MD5: 3f72ef9a784251be23c6df5f165a4fbbSHA-256: d9f8034a0db35f3e2ca1e6b9ccbd4c0f713115106e7ba02f6aac1ce8d10e19d9
rh-nodejs4-http-parser-debuginfo-2.7.0-2.el6.x86_64.rpm
    MD5: d59894b87a183feff359cae93cfd2aa4SHA-256: 15347098ad9efaebbebbd354bdee2fbc5484b8cadf4f6a9a8095398aa991af9b
rh-nodejs4-http-parser-devel-2.7.0-2.el6.x86_64.rpm
    MD5: b85b772cf02f333eb2215ecbb3c47713SHA-256: abe3bb38bcca021bc9019d25b2f580093e1906e4b2f2c5a81c6b4def5760e9d8
rh-nodejs4-nodejs-4.6.2-4.el6.x86_64.rpm
    MD5: 1282e5eda0480a0de112b10d09735f15SHA-256: ec7520ea07c0ad690338a7857dd66a3c36473d5ea4f2f8c516d10c442e3d1308
rh-nodejs4-nodejs-debuginfo-4.6.2-4.el6.x86_64.rpm
    MD5: 6bfd27fde47385fed2386ab7ac72b731SHA-256: b78527617bc7c2c53a7313f4e6efd29e292fe750e9fa6083ee27c97a9c0c0367
rh-nodejs4-nodejs-devel-4.6.2-4.el6.x86_64.rpm
    MD5: 09b2d9df9bb1f3c9bdce84dcb2cca7e6SHA-256: cfdbd051f2a90de9165276c7943e121035893063c3022c4d3df8aa9996652973
rh-nodejs4-nodejs-docs-4.6.2-4.el6.noarch.rpm
    MD5: e5d54a0bf367a79812b735de33901da1SHA-256: 69e04779cb3f72d3a23331c3808783e5d15124ac73cd55d76482e04e9953b834
 
Red Hat Software Collections 1 for RHEL 7

SRPMS:
rh-nodejs4-http-parser-2.7.0-2.el7.src.rpm
    MD5: fa4adba9861843c57462030b70f80fe1SHA-256: d645d22aaecfbe97ffe86fdb3a7b0bb2470b9228af74eb6f5ec0a530c441d88a
rh-nodejs4-nodejs-4.6.2-4.el7.src.rpm
    MD5: 5b08f0dfa19c1418de4b66d0d8d03c77SHA-256: 6c309ebb216dd5f4a834295588dcd17b6447ece34191b5cd6f4884a0f43747ba
 
x86_64:
rh-nodejs4-http-parser-2.7.0-2.el7.x86_64.rpm
    MD5: 3157c3f49148bd4e016071c625a44cb9SHA-256: 77e8cd585a929adffc170a07e49c6ab4c17c4c344ec4f8de1a94bbbcf8b1ec1d
rh-nodejs4-http-parser-debuginfo-2.7.0-2.el7.x86_64.rpm
    MD5: b0838c5dbf8201ab50c8cc07d679749cSHA-256: 0c64787d0b47e8c0b896a931cf94984bd48d48efc4140a9aea5ca6ce95533299
rh-nodejs4-http-parser-devel-2.7.0-2.el7.x86_64.rpm
    MD5: ba5925d1dbbcad9c96fd39d6f189c558SHA-256: b127c200586299c74fd8e251373e1f3e55b48083f3e92290dc27128990a2098c
rh-nodejs4-nodejs-4.6.2-4.el7.x86_64.rpm
    MD5: f98464fe6969e1612b7fef9d3f40a4e5SHA-256: d3221705f2efc44702128dfe709e35bc566594ba288f29fbd36496c9a4d2de57
rh-nodejs4-nodejs-debuginfo-4.6.2-4.el7.x86_64.rpm
    MD5: ef6fe8fbf1922a549eddc265daad6794SHA-256: 260bca696bf1bb780ca0a99895bca2da2f993472c2b4de12847279fbdab6fdbd
rh-nodejs4-nodejs-devel-4.6.2-4.el7.x86_64.rpm
    MD5: 2aeb3934145dd5ad85e44dc0c5307bd6SHA-256: e97da41edf722135fe53bfd70a428615bf837fd7d666da004f7fe51016281c8e
rh-nodejs4-nodejs-docs-4.6.2-4.el7.noarch.rpm
    MD5: 8b41080252a97e0b8e872ae660546050SHA-256: 02d2ae74a18ac55a0a8512f9eeda22d1115dbd297d744ac1c840991e85192d6b
 
(The unlinked packages above are only available from the Red Hat Network)

1335449 – CVE-2016-1669 V8: integer overflow leading to buffer overflow in Zone::New1346910 – CVE-2016-5325 nodejs: reason argument in ServerResponse#writeHead() not properly validated1379921 – CVE-2016-7099 nodejs: wildcard certificates not properly validated1380463 – CVE-2016-5180 c-ares: Single byte out of buffer write1388097 – Rebase nodejs to latest v4 release

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply