Arch Linux Security Advisory ASA-201512-4 ========================================= Severity: High Date : 2015-12-05 CVE-ID : CVE-2015-6764 CVE-2015-8027 Package : nodejs Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package nodejs before version 5.1.1-1 is vulnerable to multiple issues, including but not limited to denial of service. Resolution ========== Upgrade to 5.1.1-1. # pacman -Syu "nodejs>=5.1.1-1" The problem has been fixed upstream in version 0.12.9, 4.2.3 and 5.1.1. Workaround ========== None. Description =========== - CVE-2015-6764 (V8 out-of-bounds access vulnerability): A bug was discovered in V8's implementation of JSON.stringify() that can result in out-of-bounds reads on arrays. The patch was included in this week's update of Chrome Stable. While this bug is high severity for browsers, it is considered lower risk for Node.js users as it requires the execution of third-party JavaScript within an application in order to be exploitable. Node.js users who expose services that process untrusted user-supplied JavaScript are at obvious risk. However, we recommend that all users of impacted versions of Node.js upgrade to the appropriate patched version in order to protect against malicious third-party JavaScript that may be executed within a Node.js process by other means. - CVE-2015-8027 (denial of service): This critical denial of service (DoS) vulnerability impacts all versions of v0.12.x through to v5.x, inclusive. The vulnerability was discovered by Node.js core team member Fedor Indutny and relates to HTTP pipelining. Under certain conditions an HTTP socket may no longer have a parser associated with it but a pipelined request can trigger a pause or resume on the non-existent parser thereby causing an uncaughtException to be thrown. As these conditions can be created by an external attacker and cause a Node.js service to be shut down we consider this a critical vulnerability. It is recommended that users of impacted versions of Node.js exposing HTTP services upgrade to the appropriate patched versions as soon as practical. Impact ====== A remote attacker can shutdown a vulnerable Node.js service, or have unspecified impact via out-of-bounds reads on array. References ========== https://nodejs.org/en/blog/vulnerability/december-2015-security-releases/ https://access.redhat.com/security/cve/CVE-2015-6764 https://access.redhat.com/security/cve/CVE-2015-8027