security/vuxml: document Node.js January 2021 Security Releases

https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ Sponsored by: Miles AS
svn path=/head/; revision=561590
2021-01-14 20:37:35 +00:00 · 2021-01-14 20:37:35 +00:00 · 5980a700d4 · 2021-03-31 03:12:20 +00:00
commit 5980a700d4
parent 8af8bb1b0f
1 changed files with 46 additions and 0 deletions
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@ -58,6 +58,52 @@ Notes:
  * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="08b553ed-537a-11eb-be6e-0022489ad614">
+    <topic>Node.js -- January 2021 Security Releases</topic>
+    <affects>
+      <package>
+	<name>node10</name>
+	<range><lt>10.23.1</lt></range>
+      </package>
+      <package>
+	<name>node12</name>
+	<range><lt>12.20.1</lt></range>
+      </package>
+      <package>
+	<name>node14</name>
+	<range><lt>14.15.4</lt></range>
+      </package>
+      <package>
+	<name>node</name>
+	<range><lt>15.5.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Node.js reports:</p>
+	<blockquote cite="https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/">
+	  <h1>use-after-free in TLSWrap (High) (CVE-2020-8265)</h1>
+	  <p>Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.</p>
+	  <h1>HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287)</h1>
+	  <p>Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.</p>
+	  <h1>OpenSSL - EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)</h1>
+	  <p>iThis is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/</url>
+      <url>https://www.openssl.org/news/secadv/20201208.txt</url>
+      <cvename>CVE-2020-8265</cvename>
+      <cvename>CVE-2020-8287</cvename>
+      <cvename>CVE-2020-1971</cvename>
+    </references>
+    <dates>
+      <discovery>2021-01-04</discovery>
+      <entry>2021-01-14</entry>
+    </dates>
+  </vuln>
+
  <vuln vid="0a8ebf4a-5660-11eb-b4e2-001b217b3468">
    <topic>Gitlab -- vulnerability</topic>
    <affects>