RHSA-2017:0002-01 -- Redhat rh-nodejs4-http-parser, rh-nodejs4-nodejsID: oval:org.secpod.oval:def:504825 | Date: (C)2021-02-03 (M)2024-04-17 |
Class: PATCH | Family: unix |
Node.js is a platform built on Chrome"s JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. The following packages have been upgraded to a newer upstream version: rh-nodejs4-nodejs , rh-nodejs4-http-parser . Security Fix: * It was found that Node.js" tls.checkServerIdentity function did not properly validate server certificates containing wildcards. A malicious TLS server could use this flaw to get a specially crafted certificate accepted by a Node.js TLS client. * It was found that the V8 Zone class was vulnerable to integer overflow when allocating new memory . An attacker with the ability to manipulate a large zone could crash the application or, potentially, execute arbitrary code with the application privileges. * A vulnerability was found in c-ares, a DNS resolver library bundled with Node.js. A hostname with an escaped trailing dot would have its size calculated incorrectly, leading to a single byte written beyond the end of a buffer on the heap. An attacker able to provide such a hostname to an application using c-ares, could potentially cause that application to crash. * It was found that the reason argument in ServerResponse#writeHead was not properly validated. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request
Platform: |
Red Hat Enterprise Linux 7 |
Red Hat Enterprise Linux 6 |
Product: |
rh-nodejs4-http-parser |
rh-nodejs4-nodejs |