You are here
Home > Preporuke > Sigurnosni nedostatak programskih paketa nodejs i v8

Sigurnosni nedostatak programskih paketa nodejs i v8

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2014-11065
2014-09-19 09:06:26
——————————————————————————–

Name : nodejs
Product : Fedora 20
Version : 0.10.32
Release : 1.fc20
URL : http://nodejs.org/
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome’s JavaScript runtime
for easily building fast, scalable network applications.
Node.js uses an event-driven, non-blocking I/O model that
makes it lightweight and efficient, perfect for data-intensive
real-time applications that run across distributed devices.

——————————————————————————–
Update Information:

This update provides the latest stable version of Node.js and corresponding backports to the v8 package.

This update resolves CVE-2013-6668, which has only a minor impact since Node.js is not typically used to execute untrusted JavaScript. For more information on the fixed vulnerability, please see the CVE bugs listed below.

Changes in this update include:

* v8: fix a crash introduced by previous release (Fedor Indutny)
* crypto: use domains for any callback-taking method (Chris Dickinson)
* http: do not send `0rnrn` in TE HEAD responses (Fedor Indutny)
* querystring: fix unescape override (Tristan Berger)
* url: Add support for RFC 3490 separators (Mathias Bynens)
* v8: backport CVE-2013-6668
* cluster: disconnect should not be synchronous (Sam Roberts)
* fs: fix fs.readFileSync fd leak when get RangeError (Jackson Tian)
* stream: fix Readable.wrap objectMode falsy values (James Halliday)
* timers: fix timers with non-integer delay hanging. (Julien Gilli)
——————————————————————————–
ChangeLog:

* Thu Sep 18 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.32-1
– new upstream release 0.10.32
http://blog.nodejs.org/2014/08/19/node-v0-10-31-stable/
http://blog.nodejs.org/2014/09/16/node-v0-10-32-stable/
* Fri Aug 1 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.30-1
– new upstream release 0.10.30
http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/
* Thu Jun 19 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.29-1
– new upstream release 0.10.29
http://blog.nodejs.org/2014/06/16/node-v0-10-29-stable/
– The invalid UTF8 fix has been reverted since this breaks v8 API, which cannot
be done in a stable distribution release. This build of nodejs will behave as
if NODE_INVALID_UTF8 was set. For more information on the implications, see:
http://blog.nodejs.org/2014/06/16/openssl-and-breaking-utf-8-change/
* Sat May 3 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.28-1
– new upstream release 0.10.28
There is no dfference between 0.10.27 and 0.10.28 for Fedora, as the only
thing updated was npm, which is shipped seperately. The latest was only
packaged to avoid confusion. Please see the v0.10.27 changelog for relevant
changes in this update:
http://blog.nodejs.org/2014/05/01/node-v0-10-27-stable/
* Thu Feb 20 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.26-1
– new upstream release 0.10.26
http://blog.nodejs.org/2014/02/18/node-v0-10-26-stable/
* Fri Feb 14 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.25-2
– rebuild for icu-53 (via v8)
* Mon Jan 27 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.25-1
– new upstream release 0.10.25
http://blog.nodejs.org/2014/01/23/node-v0-10-25-stable/
* Thu Dec 19 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.24-1
– new upstream release 0.10.24
http://blog.nodejs.org/2013/12/19/node-v0-10-24-stable/
– upstream install script installs the headers now
* Thu Dec 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.23-1
– new upstream release 0.10.23
http://blog.nodejs.org/2013/12/11/node-v0-10-23-stable/
* Tue Nov 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.22-1
– new upstream release 0.10.22
http://blog.nodejs.org/2013/11/12/node-v0-10-22-stable/
——————————————————————————–
References:

[ 1 ] Bug #1074737 – CVE-2013-6668 v8: multiple vulnerabilities fixed in Google Chrome version 33.0.1750.146
https://bugzilla.redhat.com/show_bug.cgi?id=1074737
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update nodejs’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-11065
2014-09-19 09:06:26
——————————————————————————–

Name : v8
Product : Fedora 20
Version : 3.14.5.10
Release : 14.fc20
URL : http://code.google.com/p/v8
Summary : JavaScript Engine
Description :
V8 is Google’s open source JavaScript engine. V8 is written in C++ and is used
in Google Chrome, the open source browser from Google. V8 implements ECMAScript
as specified in ECMA-262, 3rd edition.

——————————————————————————–
Update Information:

This update provides the latest stable version of Node.js and corresponding backports to the v8 package.

This update resolves CVE-2013-6668, which has only a minor impact since Node.js is not typically used to execute untrusted JavaScript. For more information on the fixed vulnerability, please see the CVE bugs listed below.

Changes in this update include:

* v8: fix a crash introduced by previous release (Fedor Indutny)
* crypto: use domains for any callback-taking method (Chris Dickinson)
* http: do not send `0rnrn` in TE HEAD responses (Fedor Indutny)
* querystring: fix unescape override (Tristan Berger)
* url: Add support for RFC 3490 separators (Mathias Bynens)
* v8: backport CVE-2013-6668
* cluster: disconnect should not be synchronous (Sam Roberts)
* fs: fix fs.readFileSync fd leak when get RangeError (Jackson Tian)
* stream: fix Readable.wrap objectMode falsy values (James Halliday)
* timers: fix timers with non-integer delay hanging. (Julien Gilli)
——————————————————————————–
ChangeLog:

* Wed Sep 17 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-14
– backport bugfix that eliminates unused-local-typedefs warning
– backport security fix: Fix Hydrogen bounds check elimination (CVE-2013-6668; RHBZ#1086120)
– backport fix to segfault caused by the above patch
* Tue Aug 26 2014 David Tardon <dtardon@redhat.com> – 1:3.14.5.10-13
– rebuild for ICU 53.1
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 1:3.14.5.10-12
– Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Thu Jul 31 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-11
– backport security fix for memory corruption and stack overflow (RHBZ#1125464)
https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ
– backport bug fix for x64 MathMinMax for negative untagged int32 arguments.
https://github.com/joyent/node/commit/3530fa9cd09f8db8101c4649cab03bcdf760c434
* Thu Jun 19 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-10
– fix corner case in integer comparisons (v8 bug#2416; nodejs bug#7528)
* Sun Jun 8 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 1:3.14.5.10-9
– Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sat May 3 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-8
– use clock_gettime() instead of gettimeofday(), which increases V8 performance
dramatically on virtual machines
* Tue Mar 18 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-7
– backport fix for unsigned integer arithmetic (RHBZ#1077136; CVE-2014-1704)
* Mon Feb 24 2014 Tomas Hrcka <thrcka@redhat.com> – 1:3.14.5.10-6
– Backport fix for incorrect handling of popular pages (RHBZ#1059070; CVE-2013-6640)
* Fri Feb 14 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-5
– rebuild for icu-52
* Mon Jan 27 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-4
– backport fix for enumeration for objects with lots of properties
* Fri Dec 13 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-3
– backport fix for out-of-bounds read DoS (RHBZ#1039889; CVE-2013-6640)
——————————————————————————–
References:

[ 1 ] Bug #1074737 – CVE-2013-6668 v8: multiple vulnerabilities fixed in Google Chrome version 33.0.1750.146
https://bugzilla.redhat.com/show_bug.cgi?id=1074737
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update v8’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-10975
2014-09-19 09:02:25
——————————————————————————–

Name : nodejs
Product : Fedora 19
Version : 0.10.32
Release : 1.fc19
URL : http://nodejs.org/
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome’s JavaScript runtime
for easily building fast, scalable network applications.
Node.js uses an event-driven, non-blocking I/O model that
makes it lightweight and efficient, perfect for data-intensive
real-time applications that run across distributed devices.

——————————————————————————–
Update Information:

This update provides the latest stable version of Node.js and corresponding backports to the v8 package.

This update resolves CVE-2013-6668, which has only a minor impact since Node.js is not typically used to execute untrusted JavaScript. For more information on the fixed vulnerability, please see the CVE bugs listed below.

Changes in this update include:

* v8: fix a crash introduced by previous release (Fedor Indutny)
* crypto: use domains for any callback-taking method (Chris Dickinson)
* http: do not send `0rnrn` in TE HEAD responses (Fedor Indutny)
* querystring: fix unescape override (Tristan Berger)
* url: Add support for RFC 3490 separators (Mathias Bynens)
* v8: backport CVE-2013-6668
* cluster: disconnect should not be synchronous (Sam Roberts)
* fs: fix fs.readFileSync fd leak when get RangeError (Jackson Tian)
* stream: fix Readable.wrap objectMode falsy values (James Halliday)
* timers: fix timers with non-integer delay hanging. (Julien Gilli)
——————————————————————————–
ChangeLog:

* Thu Sep 18 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.32-1
– new upstream release 0.10.32
http://blog.nodejs.org/2014/08/19/node-v0-10-31-stable/
http://blog.nodejs.org/2014/09/16/node-v0-10-32-stable/
* Fri Aug 1 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.30-1
– new upstream release 0.10.30
http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/
* Thu Jun 19 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.29-1
– new upstream release 0.10.29
http://blog.nodejs.org/2014/06/16/node-v0-10-29-stable/
– The invalid UTF8 fix has been reverted since this breaks v8 API, which cannot
be done in a stable distribution release. This build of nodejs will behave as
if NODE_INVALID_UTF8 was set. For more information on the implications, see:
http://blog.nodejs.org/2014/06/16/openssl-and-breaking-utf-8-change/
* Sat May 3 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.28-1
– new upstream release 0.10.28
There is no dfference between 0.10.27 and 0.10.28 for Fedora, as the only
thing updated was npm, which is shipped seperately. The latest was only
packaged to avoid confusion. Please see the v0.10.27 changelog for relevant
changes in this update:
http://blog.nodejs.org/2014/05/01/node-v0-10-27-stable/
* Thu Feb 20 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.26-1
– new upstream release 0.10.26
http://blog.nodejs.org/2014/02/18/node-v0-10-26-stable/
* Mon Jan 27 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.25-1
– new upstream release 0.10.25
http://blog.nodejs.org/2014/01/23/node-v0-10-25-stable/
* Thu Dec 19 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.24-1
– new upstream release 0.10.24
http://blog.nodejs.org/2013/12/19/node-v0-10-24-stable/
– upstream install script installs the headers now
* Thu Dec 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.23-1
– new upstream release 0.10.23
http://blog.nodejs.org/2013/12/11/node-v0-10-23-stable/
* Tue Nov 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.22-1
– new upstream release 0.10.22
http://blog.nodejs.org/2013/11/12/node-v0-10-22-stable/
* Fri Oct 18 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.21-1
– new upstream release 0.10.21
http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/
– resolves an undisclosed security vulnerability in the http module
* Tue Oct 1 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.20-1
– new upstream release 0.10.20
http://blog.nodejs.org/2013/09/30/node-v0-10-20-stable/
* Wed Sep 25 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.19-1
– new upstream release 0.10.19
http://blog.nodejs.org/2013/09/24/node-v0-10-19-stable/
* Fri Sep 6 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.18-1
– new upstream release 0.10.18
http://blog.nodejs.org/2013/09/04/node-v0-10-18-stable/
* Tue Aug 27 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.17-1
– new upstream release 0.10.17
http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/
* Sat Aug 17 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.16-1
– new upstream release 0.10.16
http://blog.nodejs.org/2013/08/16/node-v0-10-16-stable/
– add v8-devel to -devel Requires
– restrict -devel Requires to the same architecture
* Wed Aug 14 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.14-3
– fix typo in _isa macro in v8 Requires
* Thu Jul 25 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.14-1
– new upstream release 0.10.14
http://blog.nodejs.org/2013/07/25/node-v0-10-14-stable/
* Wed Jul 10 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.13-1
– new upstream release 0.10.13
http://blog.nodejs.org/2013/07/09/node-v0-10-13-stable/
– remove RPM macros, etc. now that they’ve migrated to nodejs-packaging
* Wed Jun 19 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.12-1
– new upstream release 0.10.12
http://blog.nodejs.org/2013/06/18/node-v0-10-12-stable/
– split off a -packaging subpackage with RPM macros, etc.
– build -docs as noarch
– copy mutiple version logic from nodejs-packaging SRPM for now
——————————————————————————–
References:

[ 1 ] Bug #1074737 – CVE-2013-6668 v8: multiple vulnerabilities fixed in Google Chrome version 33.0.1750.146
https://bugzilla.redhat.com/show_bug.cgi?id=1074737
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update nodejs’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-10975
2014-09-19 09:02:25
——————————————————————————–

Name : v8
Product : Fedora 19
Version : 3.14.5.10
Release : 14.fc19
URL : http://code.google.com/p/v8
Summary : JavaScript Engine
Description :
V8 is Google’s open source JavaScript engine. V8 is written in C++ and is used
in Google Chrome, the open source browser from Google. V8 implements ECMAScript
as specified in ECMA-262, 3rd edition.

——————————————————————————–
Update Information:

This update provides the latest stable version of Node.js and corresponding backports to the v8 package.

This update resolves CVE-2013-6668, which has only a minor impact since Node.js is not typically used to execute untrusted JavaScript. For more information on the fixed vulnerability, please see the CVE bugs listed below.

Changes in this update include:

* v8: fix a crash introduced by previous release (Fedor Indutny)
* crypto: use domains for any callback-taking method (Chris Dickinson)
* http: do not send `0rnrn` in TE HEAD responses (Fedor Indutny)
* querystring: fix unescape override (Tristan Berger)
* url: Add support for RFC 3490 separators (Mathias Bynens)
* v8: backport CVE-2013-6668
* cluster: disconnect should not be synchronous (Sam Roberts)
* fs: fix fs.readFileSync fd leak when get RangeError (Jackson Tian)
* stream: fix Readable.wrap objectMode falsy values (James Halliday)
* timers: fix timers with non-integer delay hanging. (Julien Gilli)
——————————————————————————–
ChangeLog:

* Wed Sep 17 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-14
– backport bugfix that eliminates unused-local-typedefs warning
– backport security fix: Fix Hydrogen bounds check elimination (CVE-2013-6668; RHBZ#1086120)
– backport fix to segfault caused by the above patch
* Tue Aug 26 2014 David Tardon <dtardon@redhat.com> – 1:3.14.5.10-13
– rebuild for ICU 53.1
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 1:3.14.5.10-12
– Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Thu Jul 31 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-11
– backport security fix for memory corruption and stack overflow (RHBZ#1125464)
https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ
– backport bug fix for x64 MathMinMax for negative untagged int32 arguments.
https://github.com/joyent/node/commit/3530fa9cd09f8db8101c4649cab03bcdf760c434
* Thu Jun 19 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-10
– fix corner case in integer comparisons (v8 bug#2416; nodejs bug#7528)
* Sun Jun 8 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 1:3.14.5.10-9
– Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sat May 3 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-8
– use clock_gettime() instead of gettimeofday(), which increases V8 performance
dramatically on virtual machines
* Tue Mar 18 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-7
– backport fix for unsigned integer arithmetic (RHBZ#1077136; CVE-2014-1704)
* Mon Feb 24 2014 Tomas Hrcka <thrcka@redhat.com> – 1:3.14.5.10-6
– Backport fix for incorrect handling of popular pages (RHBZ#1059070; CVE-2013-6640)
* Fri Feb 14 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-5
– rebuild for icu-52
* Mon Jan 27 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-4
– backport fix for enumeration for objects with lots of properties
* Fri Dec 13 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-3
– backport fix for out-of-bounds read DoS (RHBZ#1039889; CVE-2013-6640)
* Fri Aug 2 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:3.14.5.10-2
– backport fix for remote DoS or unspecified other impact via type confusion
(RHBZ#991116; CVE-2013-2882)
——————————————————————————–
References:

[ 1 ] Bug #1074737 – CVE-2013-6668 v8: multiple vulnerabilities fixed in Google Chrome version 33.0.1750.146
https://bugzilla.redhat.com/show_bug.cgi?id=1074737
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update v8’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

AutorMarijo Plepelic
Cert idNCERT-REF-2014-09-0021-ADV
CveCERT-CVE-DUMMY
ID izvornikaCERT-ORIGID-DUMMY
ProizvodCERT-DUMMY-PRODUCT
Izvorhttp://www.adobe.com/
Top
More in Preporuke
Sigurnosni nedostatak programskog paketa perl-Email-Address

Otkriven je sigurnosni nedostatak u programskom paketu perl-Email-Address za operacijski sustav Fedora. Otkriveni nedostatak potencijalnim napadačima omogućuje izvođenje napada uskraćivanja...

Close