[arch-security] [ASA-201512-4] nodejs: multiple issues

Remi Gacogne rgacogne at archlinux.org
Sat Dec 5 14:04:48 UTC 2015 

Arch Linux Security Advisory ASA-201512-4
=========================================

Severity: High
Date    : 2015-12-05
CVE-ID  : CVE-2015-6764 CVE-2015-8027
Package : nodejs
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package nodejs before version 5.1.1-1 is vulnerable to multiple
issues, including but not limited to denial of service.

Resolution
==========

Upgrade to 5.1.1-1.

# pacman -Syu "nodejs>=5.1.1-1"

The problem has been fixed upstream in version 0.12.9, 4.2.3 and 5.1.1.

Workaround
==========

None.

Description
===========

- CVE-2015-6764 (V8 out-of-bounds access vulnerability):

A bug was discovered in V8's implementation of JSON.stringify() that can
result in out-of-bounds reads on arrays. The patch was included in this
week's update of Chrome Stable. While this bug is high severity for
browsers, it is considered lower risk for Node.js users as it requires
the execution of third-party JavaScript within an application in order
to be exploitable.

Node.js users who expose services that process untrusted user-supplied
JavaScript are at obvious risk. However, we recommend that all users of
impacted versions of Node.js upgrade to the appropriate patched version
in order to protect against malicious third-party JavaScript that may be
executed within a Node.js process by other means.

- CVE-2015-8027 (denial of service):

This critical denial of service (DoS) vulnerability impacts all versions
of v0.12.x through to v5.x, inclusive. The vulnerability was discovered
by Node.js core team member Fedor Indutny and relates to HTTP
pipelining. Under certain conditions an HTTP socket may no longer have a
parser associated with it but a pipelined request can trigger a pause or
resume on the non-existent parser thereby causing an uncaughtException
to be thrown. As these conditions can be created by an external attacker
and cause a Node.js service to be shut down we consider this a critical
vulnerability. It is recommended that users of impacted versions of
Node.js exposing HTTP services upgrade to the appropriate patched
versions as soon as practical.

Impact
======

A remote attacker can shutdown a vulnerable Node.js service, or have
unspecified impact via out-of-bounds reads on array.

References
==========

https://nodejs.org/en/blog/vulnerability/december-2015-security-releases/
https://access.redhat.com/security/cve/CVE-2015-6764
https://access.redhat.com/security/cve/CVE-2015-8027

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151205/7bc06ac2/attachment.asc>

More information about the arch-security mailing list