Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2021-0069)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.1.10.2021.0069

Kategorie: Mageia Linux Local Security Checks

Titel: Mageia: Security Advisory (MGASA-2021-0069)

Zusammenfassung: The remote host is missing an update for the 'nodejs' package(s) announced via the MGASA-2021-0069 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'nodejs' package(s) announced via the MGASA-2021-0069 advisory.

Vulnerability Insight:
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a
use-after-free bug in its TLS implementation. When writing to a TLS enabled
socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method does not
return an error, this object is passed back to the caller as part of a
StreamWriteResult structure. This may be exploited to corrupt memory leading
to a Denial of Service or potentially other exploits. (CVE-2020-8265).

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of
a header field in an HTTP request (for example, two Transfer-Encoding header
fields). In this case, Node.js identifies the first header field and ignores
the second. This can lead to HTTP Request Smuggling. (CVE-2020-8287).

Affected Software/OS:
'nodejs' package(s) on Mageia 7.

Solution:
Please install the updated package(s).

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2020-8265
Debian Security Information: DSA-4826 (Google Search)
https://www.debian.org/security/2021/dsa-4826
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/
https://security.gentoo.org/glsa/202101-07
https://hackerone.com/reports/988103
https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
https://www.oracle.com/security-alerts/cpujan2021.html
Common Vulnerability Exposure (CVE) ID: CVE-2020-8287
https://hackerone.com/reports/1002188
https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html

Copyright Copyright (C) 2022 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.1.10.2021.0069
Kategorie:	Mageia Linux Local Security Checks
Titel:	Mageia: Security Advisory (MGASA-2021-0069)
Zusammenfassung:	The remote host is missing an update for the 'nodejs' package(s) announced via the MGASA-2021-0069 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'nodejs' package(s) announced via the MGASA-2021-0069 advisory. Vulnerability Insight: Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits. (CVE-2020-8265). Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling. (CVE-2020-8287). Affected Software/OS: 'nodejs' package(s) on Mageia 7. Solution: Please install the updated package(s). CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2020-8265 Debian Security Information: DSA-4826 (Google Search) https://www.debian.org/security/2021/dsa-4826 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/ https://security.gentoo.org/glsa/202101-07 https://hackerone.com/reports/988103 https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ https://www.oracle.com/security-alerts/cpujan2021.html Common Vulnerability Exposure (CVE) ID: CVE-2020-8287 https://hackerone.com/reports/1002188 https://lists.debian.org/debian-lts-announce/2022/12/msg00009.html
Copyright	Copyright (C) 2022 Greenbone AG