[3.4] nodejs: Wildcard certificates not properly validated (CVE-2016-7099)
This is a high severity defect that would allow a malicious TLS server
to serve an invalid wildcard certificate for
its hostname and be improperly validated by a Node.js client. This is
due to a flaw in the validation of *. in the wildcard name string.
Fixed In Version:
nodejs 6.7.0, nodejs 4.6.0, nodejs 0.12.16, nodejs 0.10.47
References:
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7099
(from redmine: issue id 6335, created on 2016-10-12, closed on 2019-05-03)
- Relations:
- parent #6333
- Changesets:
- Revision d1d56c01 by Natanael Copa on 2016-11-08T12:40:43Z:
main/nodejs: security upgrade to 6.7.0 (CVE-2016-7099)
fixes #6335
- Revision 8ffd18ba by Natanael Copa on 2016-11-08T13:04:18Z:
main/nodejs-lts: security upgrade to 4.6.0 (CVE-2016-7099)
fixes #6335