From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] nodejs: security bump to version 8.11.1
Date: Sat, 07 Apr 2018 19:50:44 +0200 [thread overview]
Message-ID: <877epiewi3.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20180331061155.22458-1-peter@korsgaard.com> (Peter Korsgaard's message of "Sat, 31 Mar 2018 08:11:55 +0200")
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> - Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious
> website could use a DNS rebinding attack to trick a web browser to bypass
> same-origin-policy checks and allow HTTP connections to localhost or to
> hosts on the local network, potentially to an open inspector port as a
> debugger, therefore gaining full code execution access. The inspector now
> only allows connections that have a browser Host value of localhost or
> localhost6.
> - Fix for 'path' module regular expression denial of service
> (CVE-2018-7158): A regular expression used for parsing POSIX paths could
> be used to cause a denial of service if an attacker were able to have a
> specially crafted path string passed through one of the impacted 'path'
> module functions.
> - Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The
> Node.js HTTP parser allowed for spaces inside Content-Length header
> values. Such values now lead to rejected connections in the same way as
> non-numeric values.
> While we are at it, also add a hash for the license file.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2018.02.x, thanks.
--
Bye, Peter Korsgaard
prev parent reply other threads:[~2018-04-07 17:50 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-31 6:11 [Buildroot] [PATCH] nodejs: security bump to version 8.11.1 Peter Korsgaard
2018-03-31 15:10 ` Peter Korsgaard
2018-04-07 17:50 ` Peter Korsgaard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877epiewi3.fsf@dell.be.48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox