[FREEBSD:4CA5894C-F7F1-11EA-8FF8-0022489AD614] Node.js -- September 2020 Security Releases
Severity
High
Affected Packages
3
CVEs
3
Node.js reports:
Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues.
HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201)
Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.
Impacts:
All versions of the 14.x and 12.x releases line
Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251)
Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout with a default value of 0 which means it is disabled by default. This should be set when Node.js is used as an edge server, for more details refer to the documentation.
Impacts:
All versions of the 14.x release line
fs.realpath.native on may cause buffer overflow (Medium) (CVE-2020-8252)
libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
Impacts:
All versions of the 10.x release line
All versions of the 12.x release line
All versions of the 14.x release line before 14.9.0
| Package | Affected Version |
|---|---|
 pkg:freebsd/node12
|
< 12.18.4 |
|
pkg:freebsd/node10
|
< 10.22.1 |
|
pkg:freebsd/node
|
< 14.11.0 |
- ID
- FREEBSD:4CA5894C-F7F1-11EA-8FF8-0022489AD614
- Severity
- high
- Severity from
- CVE-2020-8252
- URL
- http://vuxml.freebsd.org/freebsd/4ca5894c-f7f1-11ea-8ff8-0022489ad614.html
- Published
-
2020-09-08T00:00:00
(4 years ago) - Modified
-
2020-09-16T00:00:00
(4 years ago) - Rights
- FreeBSD VuXML Security Team
- Other Advisories
-
-
ALAS2-2021-1581
-
ALPINE:CVE-2020-8201
-
ALPINE:CVE-2020-8251
-
ALPINE:CVE-2020-8252
-
ALSA-2020:4272
-
ALSA-2021:0548
-
ELSA-2020-4272
-
ELSA-2021-0548
-
FEDORA-2020-43d5a372fc
-
GLSA-202009-15
-
GLSA-202101-07
-
openSUSE-SU-2020:1616-1
-
openSUSE-SU-2020:1660-1
-
RHSA-2020:4272
-
RHSA-2021:0548
-
RLSA-2020:4272
-
RLSA-2021:0548
-
SUSE-SU-2020:2812-1
-
SUSE-SU-2020:2813-1
-
SUSE-SU-2020:2823-1
-
SUSE-SU-2020:2829-1
-
USN-4548-1
-
| Source | # ID | Name | URL |
|---|---|---|---|
| FreeBSD VuXML |
|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |