[3.0] nodejs: Security issues (CVE-2016-2086, CVE-2016-2216)
(CVE-2016-2086) Request smuggling vulnerability
A request smuggling vulnerability was found in Node.js
that can be exploited under certain unspecified circumstances.
Fixed In Version:
nodejs 0.10.42, nodejs 0.12.10, nodejs 4.3.0, nodejs 5.6.0
(CVE-2016-2216) Response splitting vulnerability using Unicode characters
It was reported that HTTP header parsing in Node.js is vulnerable to
response splitting attacks.
While Node.js has been protecting against response splitting attacks by
checking for CRLF characters,
it is possible to compose response headers using Unicode characters that
decompose to these characters,
bypassing the checks previously in place.
Fixed In Version:
nodejs 0.10.42, nodejs 0.12.10, nodejs 4.3.0, nodejs 5.6.0
References:
https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-2086
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-2216
(from redmine: issue id 5157, created on 2016-02-22, closed on 2016-02-24)
- Relations:
- parent #5153 (closed)
- Changesets:
- Revision 175b1af0 on 2016-02-23T15:07:04Z:
main/nodejs: security upgrade to 0.10.42 (CVE-2016-2086, CVE-2016-2216). Fixes #5157