FreeBSD : node.js -- multiple vulnerabilities (3eff66c5-66c9-11e7-aa1d-3d2e663cef42)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Updates are now available for all active Node.js release lines as well
as the 7.x line. These include the fix for the high severity
vulnerability identified in the initial announcement, one additional
lower priority Node.js vulnerability in the 4.x release line, as well
as some lower priority fixes for Node.js dependencies across the
current release lines. Constant Hashtable Seeds (CVE pending) Node.js
was susceptible to hash flooding remote DoS attacks as the HashTable
seed was constant across a given released version of Node.js. This was
a result of building with V8 snapshots enabled by default which caused
the initially randomized seed to be overwritten on startup. Thanks to
Jann Horn of Google Project Zero for reporting this vulnerability.

This is a high severity vulnerability and applies to all active
release lines (4.x, 6.x, 8.x) as well as the 7.x line. http.get with
numeric authorization options creates uninitialized buffers
Application code that allows the auth field of the options object used
with http.get() to be set to a number can result in an uninitialized
buffer being created/used as the authentication string.

This is a low severity defect and only applies to the 4.x release
line.

See also :

https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
http://www.nessus.org/u?a10f03be

Solution :

Update the affected packages.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 101539 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now