This script is Copyright (C) 2016 Tenable Network Security, Inc.
The remote FreeBSD host is missing a security-related update.
Node.js v6.9.0 LTS contains the following security fixes, specific to
Disable auto-loading of openssl.cnf: Don't automatically attempt to
load an OpenSSL configuration file, from the OPENSSL_CONF environment
variable or from the default location for the current platform. Always
triggering a configuration file load attempt may allow an attacker to
load compromised OpenSSL configuration into a Node.js process if they
are able to place a file in a default location.
Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser
mishandled scopes, potentially allowing an attacker to obtain
sensitive information from arbitrary memory locations via crafted
Create a unique v8_inspector WebSocket address: Generate a UUID for
each execution of the inspector. This provides additional security to
prevent unauthorized clients from connecting to the Node.js process
via the v8_inspector port when running with --inspect. Since the
debugging protocol allows extensive access to the internals of a
running process, and the execution of arbitrary code, it is important
to limit connections to authorized tools only. Note that the
v8_inspector protocol in Node.js is still considered an experimental
feature. Vulnerability originally reported by Jann Horn.
All of these vulnerabilities are considered low-severity for Node.js
users, however, users of Node.js v6.x should upgrade at their earliest
See also :
Update the affected package.
Risk factor :
Medium / CVSS Base Score : 4.3