FreeBSD : node.js -- multiple vulnerabilities (27180c99-9b5c-11e6-b799-19bef72f4b7c)
Medium Nessus Plugin ID 94415
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionNode.js v6.9.0 LTS contains the following security fixes, specific to v6.x :
Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL configuration file, from the OPENSSL_CONF environment variable or from the default location for the current platform. Always triggering a configuration file load attempt may allow an attacker to load compromised OpenSSL configuration into a Node.js process if they are able to place a file in a default location.
Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of the inspector. This provides additional security to prevent unauthorized clients from connecting to the Node.js process via the v8_inspector port when running with --inspect. Since the debugging protocol allows extensive access to the internals of a running process, and the execution of arbitrary code, it is important to limit connections to authorized tools only. Note that the v8_inspector protocol in Node.js is still considered an experimental feature. Vulnerability originally reported by Jann Horn.
All of these vulnerabilities are considered low-severity for Node.js users, however, users of Node.js v6.x should upgrade at their earliest convenience.
SolutionUpdate the affected package.