Debian Bug report logs -
#806385
nodejs: CVE-2015-8027 CVE-2015-6764
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 26 Nov 2015 21:09:02 UTC
Severity: important
Tags: security, upstream
Found in version nodejs/4.2.1~dfsg-1
Fixed in versions nodejs/4.2.3~dfsg-1, nodejs/5.1.1~dfsg-1
Done: Jérémy Lal <kapouer@melix.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#806385; Package src:nodejs.
(Thu, 26 Nov 2015 21:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Thu, 26 Nov 2015 21:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: nodejs
Version: 4.2.1~dfsg-1
Severity: important
Tags: security upstream
Hi,
the following vulnerabilities were published for nodejs, but the fix
is only made available on 2nd of december, 2015, UTC.
CVE-2015-8027[0]:
denial of service vulnerability
CVE-2015-6764[1]:
V8 out-of-bounds access vulnerability
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-8027
[1] https://security-tracker.debian.org/tracker/CVE-2015-6764
[2] https://nodejs.org/en/blog/vulnerability/cve-2015-8027_cve-2015-6764/
Regards,
Salvatore
Added tag(s) pending.
Request was from Jérémy Lal <kapouer@melix.org>
to control@bugs.debian.org.
(Fri, 04 Dec 2015 08:06:03 GMT) (full text, mbox, link).
Reply sent
to Jérémy Lal <kapouer@melix.org>:
You have taken responsibility.
(Fri, 04 Dec 2015 09:27:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 04 Dec 2015 09:27:10 GMT) (full text, mbox, link).
Message #12 received at 806385-close@bugs.debian.org (full text, mbox, reply):
Source: nodejs
Source-Version: 4.2.3~dfsg-1
We believe that the bug you reported is fixed in the latest version of
nodejs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 806385@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérémy Lal <kapouer@melix.org> (supplier of updated nodejs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 04 Dec 2015 09:02:50 +0100
Source: nodejs
Binary: nodejs-dev nodejs nodejs-dbg nodejs-legacy
Architecture: source amd64 all
Version: 4.2.3~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Jérémy Lal <kapouer@melix.org>
Description:
nodejs - evented I/O for V8 javascript
nodejs-dbg - evented I/O for V8 javascript (debug)
nodejs-dev - evented I/O for V8 javascript (development files)
nodejs-legacy - evented I/O for V8 javascript (legacy symlink)
Closes: 806385
Changes:
nodejs (4.2.3~dfsg-1) unstable; urgency=high
.
* Imported Upstream version 4.2.3~dfsg
* CVE-2015-6764 V8 Out-of-bounds Access Vulnerability
(Closes: #806385)
* CVE-2015-8027 Denial of Service Vulnerability
(Closes: #806385)
* Patch: openssl -ssl3 fails immediately causing
test-tls-no-sslv3 failure.
Checksums-Sha1:
841faa66f987ef545bb802d80d2d9a692f4ff027 2376 nodejs_4.2.3~dfsg-1.dsc
ed09eb98716b72748343be923dfd0733821b4449 9345783 nodejs_4.2.3~dfsg.orig.tar.gz
8bc29855f9d9d6891958c3a517bd0812da01a399 348568 nodejs_4.2.3~dfsg-1.debian.tar.xz
a2a4ba8ebc4ce3f66f1fd999a49152c0b2a6dba5 96399450 nodejs-dbg_4.2.3~dfsg-1_amd64.deb
7c8af329caf76f2a9537a9d728e007ae3031aef2 446064 nodejs-dev_4.2.3~dfsg-1_amd64.deb
3d9ba9785243e3fd3b6456a5c54bb6c28279ebdf 193692 nodejs-legacy_4.2.3~dfsg-1_all.deb
ef373b29fce5d46883b31a5e83a6f4954590e992 3211942 nodejs_4.2.3~dfsg-1_amd64.deb
Checksums-Sha256:
43a5c2166405d6a9ae764eb7e413a9aa69a98bacdebf2fa3fb630197d55204a8 2376 nodejs_4.2.3~dfsg-1.dsc
5465e4bd4b9ff74fc0b111eb85df18c803fdfec4611fb99d0c7c542a3cb4893b 9345783 nodejs_4.2.3~dfsg.orig.tar.gz
6bd2ec0484f02969d64c7c4cfcc8e53acbfee8b32bb732244526a643ea086f28 348568 nodejs_4.2.3~dfsg-1.debian.tar.xz
d35025677026cc86711385be1f587b0d2752a82e42d26f39dafe7477a723a66b 96399450 nodejs-dbg_4.2.3~dfsg-1_amd64.deb
718a516b18ac8061eeee8ca9461152c815767dafd70bbda4a5892338048ef893 446064 nodejs-dev_4.2.3~dfsg-1_amd64.deb
15f7ec6d4573c348a7f798ce3cdcd6b78ff77665ed460fd3e27a7d444cd72aa9 193692 nodejs-legacy_4.2.3~dfsg-1_all.deb
c11ab8ecf8af6a8de020ed56c30f81d4f211d8c6ceed302e115f39933f99bd9f 3211942 nodejs_4.2.3~dfsg-1_amd64.deb
Files:
779397c2982be6bc0b8f0f9afccb7e1b 2376 web - nodejs_4.2.3~dfsg-1.dsc
560d3767c24907e44a34619139955785 9345783 web - nodejs_4.2.3~dfsg.orig.tar.gz
70df2c4c238562411c2dde75354e08ef 348568 web - nodejs_4.2.3~dfsg-1.debian.tar.xz
7cc0c99aab2b7c97be896b429ec644e7 96399450 debug extra nodejs-dbg_4.2.3~dfsg-1_amd64.deb
f18f0dfb2547d164345c2883a2ca892e 446064 devel extra nodejs-dev_4.2.3~dfsg-1_amd64.deb
6ad2b263c1c2c6893a1f50f1ccb86f15 193692 web extra nodejs-legacy_4.2.3~dfsg-1_all.deb
4a4def90ce41513505afc50db7233b99 3211942 web optional nodejs_4.2.3~dfsg-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWYVQOAAoJEGYRwF7dOfN0Y0AQAJFRfpLijiMpz5aHAsv/H6mx
8YlQaHZA9NpjzYyglX1+q9VZqqBF++mLKel0bkXqJMjSPxvtb/VJLxbNrix0P21e
S9MkPHYNNJRoH7UqEY2cQP18hXCMVKLCtFpB/YPDjvQj0SZFrN0QIGD7hqdm5/ve
eI129/pLv15Mj45T3GWKpQO9wAbPV7T2CywqVulvBF+kvO8pngf3RMaaRiaFbMVS
zGk6OCSaC6drP7PQ9zmDojbTYlwaaHeN7pe/BfLWUD7yLnGtTj/Qtkl4s9IryJpH
W3p6wkblFyGIC/Mi50/Du9V72JtdnZsTsQwjgdMKJekFs0MidH55XacB0uabIgbB
H0krRIMevph0w0nQOj9OC0dLlt/P/DcC96+Lmw+zRd4F7KkdCmLDHoD2WLgwG5ys
Rq/PfnRp6hNb0wZBx+2NMQmAOHcQ96veNNTiPQHlrgul7kUZfzMZ1Io+fOTGsb3Y
ET41ZG2q4xuTdvEGjCBDl3bxs9Rvi77vKVgaKjvRMfnLmI49Po92t4+76bD/n3u9
Sj5DVU/N+skXJBVw7m8QRe5tlzaX68B55ViYyIspgZKVLeO9VWA0JLPQHGXyU2fj
BWEmBe+9LzZBR2IxZkdPkEB1oJRUKk6mw+0Ex1Q4rrYP37GMNnGblTwplTqOpNw7
o3ONIjEBZ8+BKgvAGhfu
=2wiD
-----END PGP SIGNATURE-----
Reply sent
to Jérémy Lal <kapouer@melix.org>:
You have taken responsibility.
(Fri, 04 Dec 2015 09:57:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 04 Dec 2015 09:57:12 GMT) (full text, mbox, link).
Message #17 received at 806385-close@bugs.debian.org (full text, mbox, reply):
Source: nodejs
Source-Version: 5.1.1~dfsg-1
We believe that the bug you reported is fixed in the latest version of
nodejs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 806385@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérémy Lal <kapouer@melix.org> (supplier of updated nodejs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 04 Dec 2015 09:59:15 +0100
Source: nodejs
Binary: nodejs-dev nodejs nodejs-dbg nodejs-legacy
Architecture: source amd64 all
Version: 5.1.1~dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Jérémy Lal <kapouer@melix.org>
Description:
nodejs - evented I/O for V8 javascript
nodejs-dbg - evented I/O for V8 javascript (debug)
nodejs-dev - evented I/O for V8 javascript (development files)
nodejs-legacy - evented I/O for V8 javascript (legacy symlink)
Closes: 806385
Changes:
nodejs (5.1.1~dfsg-1) experimental; urgency=medium
.
* Imported Upstream version 5.1.1~dfsg
* CVE-2015-6764 V8 Out-of-bounds Access Vulnerability
(Closes: #806385)
* CVE-2015-8027 Denial of Service Vulnerability
(Closes: #806385)
* Patch: openssl -ssl3 fails immediately causing
test-tls-no-sslv3 failure.
Checksums-Sha1:
5b94dead2f70eb370dbd96edfeb793d0c977d4bb 2362 nodejs_5.1.1~dfsg-1.dsc
68635a0a103eb92ccb39660f395a3cc0a820c99b 9422575 nodejs_5.1.1~dfsg.orig.tar.gz
f2e1ae7b6d8aa9ee55dc4017c80e25e9024c2b7e 349332 nodejs_5.1.1~dfsg-1.debian.tar.xz
b11fd1e056a9b4c5c91731859f59dc1a1e1b02b1 96694984 nodejs-dbg_5.1.1~dfsg-1_amd64.deb
13792e1b752c573d2a38fee0e634b67b8995d576 458860 nodejs-dev_5.1.1~dfsg-1_amd64.deb
8f9ac69868296c3974242e29d3b414870b810fbe 205402 nodejs-legacy_5.1.1~dfsg-1_all.deb
e31216196ff5b9dcfc2310d1033fc1fd5b603af8 3288858 nodejs_5.1.1~dfsg-1_amd64.deb
Checksums-Sha256:
64337c62cb6497a44178e97ffb7073c81d86ba2a70db292a1c450572885b6a1b 2362 nodejs_5.1.1~dfsg-1.dsc
58c26602135605e43a0aab55f3b49f6f47996b127c0376f54cb6f6ce2c91c116 9422575 nodejs_5.1.1~dfsg.orig.tar.gz
18821f0e5a79aa9cbb952e82e72bf190b09eafa01f8e8cc4aec1c3c220570283 349332 nodejs_5.1.1~dfsg-1.debian.tar.xz
dcea8abbe01512a29e8df46b553be48330706d931051696f0b563fe43913a580 96694984 nodejs-dbg_5.1.1~dfsg-1_amd64.deb
f682f1f4be196648ae55d293bd89983adb9d931e94f519788d1fa55be2c51c3c 458860 nodejs-dev_5.1.1~dfsg-1_amd64.deb
186f61214f0418044b3209fa36e8f3ae173edc62c683b42ca36775456c739984 205402 nodejs-legacy_5.1.1~dfsg-1_all.deb
7c28b6a9aca7a2d993a9d762946c2e3d678ad4eee2b0428b675fcceb48687148 3288858 nodejs_5.1.1~dfsg-1_amd64.deb
Files:
66e7d1e4d7c6f7994d0864ba7f1602da 2362 web - nodejs_5.1.1~dfsg-1.dsc
150f59c0adb735f7322632b3fb206121 9422575 web - nodejs_5.1.1~dfsg.orig.tar.gz
2872f278f5e1939928549eb63ae6bfb6 349332 web - nodejs_5.1.1~dfsg-1.debian.tar.xz
9a6d7f237e804b5b0f93e4e444746afc 96694984 debug extra nodejs-dbg_5.1.1~dfsg-1_amd64.deb
7d52b26ef03cb854dda95985595edf49 458860 devel extra nodejs-dev_5.1.1~dfsg-1_amd64.deb
d88ab9326f8a5539c06d62513158e6a9 205402 web extra nodejs-legacy_5.1.1~dfsg-1_all.deb
dae53a59e0b8f58b1565a9fbef36a360 3288858 web optional nodejs_5.1.1~dfsg-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWYVwNAAoJEGYRwF7dOfN0K/sQAJGG8kS/P3IzUOScDbI8lQaS
CKnk1L27z20B4F/ueye6U1Zore3T60QhbdmT8DiAMYRxxEWo5rSm0gNnEeDeyaQN
CmvOMiuDvVCLs7NcEQhV6mbs2BHFOhrxpHWIt2s+WaWCQEbcZ2Wu5YkAvq3AB9pU
lD/gbLyoY/ymz0LfhjDdO76zRk9HZbj2NousGFehnu4nOZgOQU2XbZCcJUyPEsUQ
6wj1Y1JhtHI0tqRY1loHgGsHyt24WpKTsmDA4pA9vna4ctmFTGNeqkCcvdhKn+sB
Z3o9dca3gKcfI7pxM9BX+3/d4spq7sQLzoiOV2ESuTNfdF5qV5VtItQvQ23NxVuW
OChzYqtRA0watcespE0zmBf9U45+9wTY0lG2fCH6TDLCxgqWhYkCwIplMYysCkzM
NQLTxKigkohsd/QjauPbkfshhlncHLSf0L0MHVKwmIoU/Ox74nwRbYd0Ggw+0lnl
IqwYkTt+uwQXOzY+erkZ2Y+BNfMiU6J4KKLHAclNo2Wn2DjYZVOan65Nlc0GDY0Z
zak1JdTvRvZMba4/ekGWJZHdYZreYHqEDKcNlkLnkv1hvsdgQZP/k6/uU/8bwKlN
Q6cGgbt3RPFrg9yZRUY9F+PuLsujLkxnT0rLsubrL5qkeuWbiqUApANIX6O3C05K
f1b4Hhm9PN0ejYRaIZns
=wgY/
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#806385; Package src:nodejs.
(Thu, 17 Mar 2016 04:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Philip Perkins" <philip.perkins@sweetandyummy.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Thu, 17 Mar 2016 04:54:03 GMT) (full text, mbox, link).
Message #22 received at 806385@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear Customer,
Your invoice is attached to this e-mail, please check it!
Thank you,
Philip Perkins,
Support Manager
[Document_01172-2016-03-17.zip (application/zip, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 14 Apr 2016 07:34:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:44:58 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon