FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

node.js -- Data Confidentiality/Integrity Vulnerability, December 2017

Affected packages
node4 < 4.8.7
node6 < 6.12.2
node8 < 8.9.3
node < 9.2.1

Details

VuXML ID bea84a7a-e0c9-11e7-b4f3-11baa0c2df21
Discovery 2017-12-08
Entry 2017-12-14

Node.js reports:

Data Confidentiality/Integrity Vulnerability - CVE-2017-15896

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.

Uninitialized buffer vulnerability - CVE-2017-15897

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.

Also included in OpenSSL update - CVE 2017-3738

Note that CVE 2017-3738 of OpenSSL-1.0.2 affected Node but it was low severity.

References

CVE Name CVE-2017-15896
CVE Name CVE-2017-15897
CVE Name CVE-2017-3738
URL https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/