pkgsrc/lang/nodejs/distinfo
adam 4df09907ad nodejs: updated to 10.16.3
Version 10.16.3 'Dubnium' (LTS):

Notable changes

This is a security release.

Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.

Vulnerabilities fixed:

CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.

CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.

CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service.
2019-08-16 15:18:16 +00:00

42 lines
3.5 KiB
Text

$NetBSD: distinfo,v 1.153 2019/08/16 15:18:16 adam Exp $
SHA1 (node-v10.16.3.tar.gz) = 21ef023ff05eb3c328d08e9e6196fbba301add28
RMD160 (node-v10.16.3.tar.gz) = dfbd885f84180ae08ede0b5dfe6c64b644402aad
SHA512 (node-v10.16.3.tar.gz) = c3a95d8810599db8e9a17932c55ff57223cf9e66028e776088420023ab7ba393e9b60518a189fcab46ca2597d213f8a6414abba282a73c9501c294dbc7b041e6
Size (node-v10.16.3.tar.gz) = 45870800 bytes
SHA1 (patch-common.gypi) = de37949f38d9bd39a18b59d59ec74e528bd323ac
SHA1 (patch-deps_cares_cares.gyp) = 22b44f2ac59963f694dfe4f4585e08960b3dec32
SHA1 (patch-deps_openssl_config_archs_linux-elf_asm_openssl-cl.gypi) = 12c91ca27ced24cabd714902fad9c9eb0ba40f9b
SHA1 (patch-deps_openssl_config_bn__conf__asm.h) = a4cf4f0771c96fb09a00b76b25d35000d65ef92f
SHA1 (patch-deps_openssl_config_bn__conf__no-asm.h) = c13b305c7a93b7adf61186d50ac637a6d180fa18
SHA1 (patch-deps_openssl_config_dso__conf__asm.h) = ae8285306fd165dc881fd8c6783cf0977d73371a
SHA1 (patch-deps_openssl_config_dso__conf__no-asm.h) = 78fe6bf2251940ad27913a624abdfb892e69f438
SHA1 (patch-deps_openssl_config_opensslconf__asm.h) = e9bb26b66431595d13d4173d3ed5f3e583bd009f
SHA1 (patch-deps_openssl_config_opensslconf__no-asm.h) = 63c493a4e2b98fb630a094908aa5c4b629181d15
SHA1 (patch-deps_openssl_openssl-cl__asm.gypi) = addb5837ea7b8ea2732cd2f5aaa8a24289b1199f
SHA1 (patch-deps_openssl_openssl-cl__no__asm.gypi) = 73368f336dbe500e45f0ba6bbb7656416a27b294
SHA1 (patch-deps_openssl_openssl__asm.gypi) = b85e1f5a9f862d469afcb36ff6e1ad202bea704a
SHA1 (patch-deps_openssl_openssl__no__asm.gypi) = b549ea34f51e26669a41a64da0db10e92f0d0a99
SHA1 (patch-deps_openssl_openssl_crypto_rand_rand__unix.c) = ba8d4602c3386801ad8d3c33c757c69ad3d25a34
SHA1 (patch-deps_uv_common.gypi) = d38a9c8d9e3522f15812aec2f5b1e1e636d4bab3
SHA1 (patch-deps_uv_src_unix_netbsd.c) = 76b27ae86aa80582554ee824146ee7c42c33883b
SHA1 (patch-deps_v8_src_arm_assembler-arm-inl.h) = 56a5d6539d31e19673ef61cc91f003109c69dc29
SHA1 (patch-deps_v8_src_arm_assembler-arm.cc) = f32d5d2a1096f822c813eaf6d02b9348564213f6
SHA1 (patch-deps_v8_src_arm_cpu-arm.cc) = d0d11ac474ab109a6f40b26fa457b12d742eb48d
SHA1 (patch-deps_v8_src_base_atomicops.h) = 552d2b7781b39b93392fd00043b1cf4cb10802da
SHA1 (patch-deps_v8_src_base_platform_platform-freebsd.cc) = 427c7712fc1c2872fc48e593f7ab491c69ee44e3
SHA1 (patch-deps_v8_src_base_platform_platform-openbsd.cc) = 5e593879dbab095f99e82593272a0de91043f9a8
SHA1 (patch-deps_v8_src_base_platform_platform-posix.cc) = 0d80cc6587af9220832de112834e9f50242f819f
SHA1 (patch-deps_v8_src_base_platform_semaphore.cc) = aa84bf1dbaac5808529f6b01502d117c88751649
SHA1 (patch-deps_v8_src_compiler_types.h) = 711cc94535200374104c3cd1f0fbbd00994701a6
SHA1 (patch-deps_v8_src_globals.h) = 6695a381000844ad9837bdbc3edbe9040ec4d5ff
SHA1 (patch-deps_v8_src_log-utils.h) = 765e4e4af2cb11e38c033174ac92fbb6ee1fd480
SHA1 (patch-deps_v8_tools_run-llprof.sh) = 39aa3faf77492ef8dd35b411b7b0e4605b469af3
SHA1 (patch-node.gypi) = 4a104dba6c22702211009bc60a6be6f87554e2fa
SHA1 (patch-src_cares__wrap.cc) = a26a162f130468cbc0650a33b27b71377d273704
SHA1 (patch-src_inspector__agent.cc) = 6066c01b671a1d416440b073a7a21fdf22eef926
SHA1 (patch-src_node__postmortem__metadata.cc) = 9938482d724ad6636af5dc3fa719ec26ed8539ff
SHA1 (patch-tools_gyp_pylib_gyp_common.py) = 8d76b78e46b0ba2fef08294872e17a068d595f32
SHA1 (patch-tools_gyp_pylib_gyp_generator_make.py) = be3cc1aaa85c3d59b6f2758df813cb5ad8d8f74e
SHA1 (patch-tools_gyp_pylib_gyp_xcode__emulation.py) = 15937c419f3226ab280c7bcd5d726773cb5add57
SHA1 (patch-tools_install.py) = aae60d31e8c2e74f18c61c328913412545943d79