[ubuntu/xenial-security] nodejs 4.2.6~dfsg-1ubuntu4.2 (Accepted)
Mike Salvatore
mike.salvatore at canonical.com
Fri Aug 10 14:24:38 UTC 2018
nodejs (4.2.6~dfsg-1ubuntu4.2) xenial-security; urgency=medium
* SECURITY UPDATE: CRLF injection vulnerability
- debian/patches/CVE-2016-5325-1.patch: Previously, the reason argument
passed to ServerResponse#writeHead was not being properly validated. One
could pass CRLFs which could lead to http response splitting. This
commit changes the behavior to throw an error in the event any invalid
characters are included in the reason.
lib/_http_common.js
lib/_http_server.js
test/parallel/test-http-status-reason-invalid-chars.js
- debian/patches/CVE-2016-5325-2.patch: The certificates in test fixtures
were set to expire in 999 days since they were generated. That time has
passed, and they have to be reissued. Bump expiration time to 99999 days
for all of them to prevent this from happening again in near future.
- CVE-2016-5325
Date: 2018-08-09 19:52:13.188448+00:00
Changed-By: Mike Salvatore <mike.salvatore at canonical.com>
https://launchpad.net/ubuntu/+source/nodejs/4.2.6~dfsg-1ubuntu4.2
-------------- next part --------------
Sorry, changesfile not available.
More information about the Xenial-changes
mailing list