| Message ID | 20221119101904.230827-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/nodejs: security bump to version 16.18.1 | expand |
Peter, All, On 2022-11-19 11:19 +0100, Peter Korsgaard spake thusly: > Fixes the following security issue: > > DNS rebinding in --inspect via invalid octal IP address (Medium) (CVE-2022-43548) > > The Node.js rebinding protector for --inspect still allows invalid IP > address, specifically, the octal format. An example of an octal IP address > is 1.09.0.0, the 09 octet is invalid because 9 is not a number in the base 8 > number system. Browsers such as Firefox (tested on latest version m105) > will still attempt to resolve this invalid octal address via DNS. When > combined with an active --inspect session, such as when using VSCode, an > attacker can perform DNS rebinding and execute arbitrary code > > Update license hash for an update of base64 (MIT license) and a change in > copyright year: > > https://github.com/nodejs/node/commit/8ea9a71b15a953cd0936f7e6aae84c62873a77b5 > https://github.com/nodejs/node/commit/9f14dc1a8f43a9f3755c673009378b798cbdd73b > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/nodejs/nodejs.hash | 6 +++--- > package/nodejs/nodejs.mk | 2 +- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash > index 83e4c271ce..4408782248 100644 > --- a/package/nodejs/nodejs.hash > +++ b/package/nodejs/nodejs.hash > @@ -1,5 +1,5 @@ > -# From https://nodejs.org/dist/v16.17.1/SHASUMS256.txt > -sha256 6721feb4152d56d2c6b358ce397abd5a7f1daf09ee2e25c5021b9b4d3f86a330 node-v16.17.1.tar.xz > +# From https://nodejs.org/dist/v16.18.1/SHASUMS256.txt > +sha256 1f8051a88f86f42064f4415fe7a980e59b0a502ecc8def583f6303bc4d445238 node-v16.18.1.tar.xz > > # Hash for license file > -sha256 69090e865afa7c62715b97f0712632d2923bd7a5faba91f94e4e75a2f9219d5e LICENSE > +sha256 0bec08634ba79b5404f6b7f92ea850f3c2a06e27e6f83f2267e4f5e55ae33334 LICENSE > diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk > index 29a10b900f..367d5d2058 100644 > --- a/package/nodejs/nodejs.mk > +++ b/package/nodejs/nodejs.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -NODEJS_VERSION = 16.17.1 > +NODEJS_VERSION = 16.18.1 > NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz > NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION) > NODEJS_DEPENDENCIES = \ > -- > 2.30.2 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issue: > DNS rebinding in --inspect via invalid octal IP address (Medium) (CVE-2022-43548) > The Node.js rebinding protector for --inspect still allows invalid IP > address, specifically, the octal format. An example of an octal IP address > is 1.09.0.0, the 09 octet is invalid because 9 is not a number in the base 8 > number system. Browsers such as Firefox (tested on latest version m105) > will still attempt to resolve this invalid octal address via DNS. When > combined with an active --inspect session, such as when using VSCode, an > attacker can perform DNS rebinding and execute arbitrary code > Update license hash for an update of base64 (MIT license) and a change in > copyright year: > https://github.com/nodejs/node/commit/8ea9a71b15a953cd0936f7e6aae84c62873a77b5 > https://github.com/nodejs/node/commit/9f14dc1a8f43a9f3755c673009378b798cbdd73b > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2022.08.x, thanks.
diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash index 83e4c271ce..4408782248 100644 --- a/package/nodejs/nodejs.hash +++ b/package/nodejs/nodejs.hash @@ -1,5 +1,5 @@ -# From https://nodejs.org/dist/v16.17.1/SHASUMS256.txt -sha256 6721feb4152d56d2c6b358ce397abd5a7f1daf09ee2e25c5021b9b4d3f86a330 node-v16.17.1.tar.xz +# From https://nodejs.org/dist/v16.18.1/SHASUMS256.txt +sha256 1f8051a88f86f42064f4415fe7a980e59b0a502ecc8def583f6303bc4d445238 node-v16.18.1.tar.xz # Hash for license file -sha256 69090e865afa7c62715b97f0712632d2923bd7a5faba91f94e4e75a2f9219d5e LICENSE +sha256 0bec08634ba79b5404f6b7f92ea850f3c2a06e27e6f83f2267e4f5e55ae33334 LICENSE diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk index 29a10b900f..367d5d2058 100644 --- a/package/nodejs/nodejs.mk +++ b/package/nodejs/nodejs.mk @@ -4,7 +4,7 @@ # ################################################################################ -NODEJS_VERSION = 16.17.1 +NODEJS_VERSION = 16.18.1 NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION) NODEJS_DEPENDENCIES = \
Fixes the following security issue: DNS rebinding in --inspect via invalid octal IP address (Medium) (CVE-2022-43548) The Node.js rebinding protector for --inspect still allows invalid IP address, specifically, the octal format. An example of an octal IP address is 1.09.0.0, the 09 octet is invalid because 9 is not a number in the base 8 number system. Browsers such as Firefox (tested on latest version m105) will still attempt to resolve this invalid octal address via DNS. When combined with an active --inspect session, such as when using VSCode, an attacker can perform DNS rebinding and execute arbitrary code Update license hash for an update of base64 (MIT license) and a change in copyright year: https://github.com/nodejs/node/commit/8ea9a71b15a953cd0936f7e6aae84c62873a77b5 https://github.com/nodejs/node/commit/9f14dc1a8f43a9f3755c673009378b798cbdd73b Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/nodejs/nodejs.hash | 6 +++--- package/nodejs/nodejs.mk | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-)