Debian Bug report logs -
#800580
nodejs: CVE-2015-7384: HTTP Denial of Service Vulnerability
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 1 Oct 2015 07:45:02 UTC
Severity: important
Tags: security, upstream
Found in version nodejs/4.1.1~dfsg-2
Fixed in version nodejs/4.1.1~dfsg-3
Done: Jérémy Lal <kapouer@melix.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#800580; Package src:nodejs.
(Thu, 01 Oct 2015 07:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Thu, 01 Oct 2015 07:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: nodejs
Version: 4.1.1~dfsg-2
Severity: important
Tags: security upstream
Hi,
the following CVE was published for nodejs on [0], but details and
patches will by available on Monday the 5th of October 2015. But
accordidng to upstrema 4.1.1 is affected, so filling this bug already.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://groups.google.com/forum/#!topic/nodejs-sec/fSNEQiuof6I
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#800580; Package src:nodejs.
(Fri, 02 Oct 2015 07:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jérémy Lal <kapouer@melix.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Fri, 02 Oct 2015 07:51:03 GMT) (full text, mbox, link).
Message #10 received at 800580@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
2015-10-01 9:41 GMT+02:00 Salvatore Bonaccorso <carnil@debian.org>:
> Source: nodejs
> Version: 4.1.1~dfsg-2
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following CVE was published for nodejs on [0], but details and
> patches will by available on Monday the 5th of October 2015. But
> accordidng to upstrema 4.1.1 is affected, so filling this bug already.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Hi,
upstream is willing to coordinate the release of the fix, so i'll be able
to upload
a fixed version at about the same time as it is disclosed.
Jérémy.
[Message part 2 (text/html, inline)]
Added tag(s) pending.
Request was from Jérémy Lal <kapouer@melix.org>
to control@bugs.debian.org.
(Mon, 05 Oct 2015 20:21:05 GMT) (full text, mbox, link).
Reply sent
to Jérémy Lal <kapouer@melix.org>:
You have taken responsibility.
(Mon, 05 Oct 2015 21:27:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 05 Oct 2015 21:27:14 GMT) (full text, mbox, link).
Message #17 received at 800580-close@bugs.debian.org (full text, mbox, reply):
Source: nodejs
Source-Version: 4.1.1~dfsg-3
We believe that the bug you reported is fixed in the latest version of
nodejs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 800580@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérémy Lal <kapouer@melix.org> (supplier of updated nodejs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 05 Oct 2015 22:31:38 +0200
Source: nodejs
Binary: nodejs-dev nodejs nodejs-dbg nodejs-legacy
Architecture: source amd64 all
Version: 4.1.1~dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Jérémy Lal <kapouer@melix.org>
Description:
nodejs - evented I/O for V8 javascript
nodejs-dbg - evented I/O for V8 javascript (debug)
nodejs-dev - evented I/O for V8 javascript (development files)
nodejs-legacy - evented I/O for V8 javascript (legacy symlink)
Closes: 800580
Changes:
nodejs (4.1.1~dfsg-3) unstable; urgency=high
.
* Security fix for CVE-2015-7384 (Closes: #800580)
* Forward 2014_donotinclude_root_certs.patch
Checksums-Sha1:
b4effc0349a1a3407ce3851fcf24aee4cbcecc38 2336 nodejs_4.1.1~dfsg-3.dsc
095c064b4946affe5ab79a26ede29b44a19d3fad 56424 nodejs_4.1.1~dfsg-3.debian.tar.xz
50c1836053cf75f3c0e18a10d4c6d461d922d26d 48829264 nodejs-dbg_4.1.1~dfsg-3_amd64.deb
16de35935197f1e657151517c71bb809a36ad1f3 428892 nodejs-dev_4.1.1~dfsg-3_amd64.deb
c2e74b70bfc7d4ae12a884d28e2d4ac89a1619c6 183966 nodejs-legacy_4.1.1~dfsg-3_all.deb
ab115174eece3235e2603f3115531c9edfc0dc50 3194256 nodejs_4.1.1~dfsg-3_amd64.deb
Checksums-Sha256:
ffbe13e6c9addc9942f2cd8bfc20bfcbc83f8b7120eaffbe55dd8f47e1edf34d 2336 nodejs_4.1.1~dfsg-3.dsc
b331634bc6fd069315a8219abe570f5e1984ac0562e8141d12062d4df2781145 56424 nodejs_4.1.1~dfsg-3.debian.tar.xz
2e067a24dc78288231c5053c350f66252b67852f31391db89030725542f112e7 48829264 nodejs-dbg_4.1.1~dfsg-3_amd64.deb
ba40f00010945ab92c62f660f115f1ce7fa1c854650362b1102b5e82b2e0ebb7 428892 nodejs-dev_4.1.1~dfsg-3_amd64.deb
2ba6af20aca9406f13cee2db848e24b7f96f6e24db4e8e1597048275d94e8f04 183966 nodejs-legacy_4.1.1~dfsg-3_all.deb
8fc1c3e8101fd1efff8d0d9effbd3b471943b1b723936f67ad220a9f5f472951 3194256 nodejs_4.1.1~dfsg-3_amd64.deb
Files:
fe6368866a3abf7f49a7e595d3bca81a 2336 web - nodejs_4.1.1~dfsg-3.dsc
ac424b38e9da2faacbbaece873e0e186 56424 web - nodejs_4.1.1~dfsg-3.debian.tar.xz
df8344a79193dfd573e4cce432188732 48829264 debug extra nodejs-dbg_4.1.1~dfsg-3_amd64.deb
71a19267ad9522dfe7604497715cf41a 428892 devel extra nodejs-dev_4.1.1~dfsg-3_amd64.deb
e1cf0dbb72b0289fcc84b45954594538 183966 web extra nodejs-legacy_4.1.1~dfsg-3_all.deb
01aa5958114e2020b782407771df00c6 3194256 web optional nodejs_4.1.1~dfsg-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWEubkAAoJEGYRwF7dOfN0xZwQALy8yz0AK8vYiSjQ6wyW6FCE
QDrxBesm7eE+4//ttpHgyOHP1WJytYK+a+SDPlIdKBTiSHyGq+Agzz/QwNcYagf7
8gmb157FXWTCOWMhJiScRcirwcxawoDLq3tOR/x9O97MApxgjFcihJbYP5tniIk1
bPWax2WbwTGPY1pV6G6GXImIomOGRWLjQwtlZgDpZtYK3zug7p2AHq9GYgfEK03A
72D3R83Tj82bC6/afUtDY1f/6Gemdi0Er1prrT5RhSWEA41XWKv3GTfAmUkwcyWe
/HNX5odRpvg9mBX+Zr7LXvA8kVGqYIs5X7RKo6bFaQoPEZEGaBC+YJWQ+xG0mZCm
eAU0ack5cEMKLmIKBniOX5Prpnot6/pyLmD0fzVdcJCMQHnXDj3ZHFktf3N2f0Yf
ayxeh/UvX2zXmON4OW/eedjgc/GDVTu67kjRPMkAj56jDIVsNQ2ElOc2lt04tJrR
9oMrPvSIWSE48ZQohKF8VtbY0c2fnYWVLD7R4rtyLQa9sRx41QiJ/+BgMBY2nUe3
k7gABdsyRlYe0wXY1TSmMPdNr85p5lVwIGZ3xn0VSj/IzBtcIGmYqnAf0qfTOTTu
ib3fii58qs46FPLshzhiC7yjBCyIyW8kq/PU+2Bl7lAj7ua9uK9p2V5wUbwRZ2a/
URvYz0RZOhWgEbuHhXoL
=z//5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 08 Dec 2015 07:31:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:04:25 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon