SB2017120904 - Input validation error in nodejs-current (Alpine package)
Published: December 9, 2017
Security Bulletin ID
SB2017120904
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2017-15896)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=d5846d84581dd768db790e681b6aa1b312a32f24
- https://git.alpinelinux.org/aports/commit/?id=3845824f27293ae03fd0408b8a798233934738dd
- https://git.alpinelinux.org/aports/commit/?id=33e07701fafe36a157f32d67a4f84670a31a7a55
- https://git.alpinelinux.org/aports/commit/?id=9221447d2d1a796bb103477d012beece75ac680e