nodejs: multiple issues (CVE-2015-6764 CVE-2015-8027)
CVE-2015-8027: a high-impact denial of service vulnerability
A bug exists in Node.js, all versions of v0.12.x through to v5.x
inclusive, whereby an external
attacker can cause a denial of service. The severity of this issue is
high (see CVSS scoring below)
and users of the affected versions should plan to upgrade when a fix is
made available.
Versions 0.10.x of Node.js are not affected.
Versions 0.12.x of Node.js are vulnerable.
Versions 4.x, including LTS Argon, of Node.js are vulnerable.
Versions 5.x of Node.js are vulnerable.
CVE-2015-6764: a low-impact V8 out-of-bounds access vulnerability
An additional bug exists in Node.js, all versions of v4.x and v5.x, whereby an attacker may be able to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The severity of this issue is considered medium for Node.js users (see CVSS scoring below), but only under circumstances where an attacker may cause user-supplied JavaScript to be executed within a Node.js application. Fixes will be shipped for the v4.x and v5.x release lines along with fixes for CVE-2015-8027.
Versions 0.10.x of Node.js are not affected.
Versions 0.12.x of Node.js are not affected.
Versions 4.x, including LTS Argon, of Node.js are vulnerable.
Versions 5.x of Node.js are vulnerable.
References:
https://nodejs.org/en/blog/vulnerability/december-2015-security-releases/
https://nodejs.org/en/blog/vulnerability/cve-2015-8027\_cve-2015-6764/
(from redmine: issue id 4935, created on 2015-12-08, closed on 2015-12-09)
- Relations:
- child #4936 (closed)
- child #4937 (closed)