From nobody Thu Oct 14 18:31:25 2021 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 231001808E1D; Thu, 14 Oct 2021 18:31:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HVdJt2j0pz4cYx; Thu, 14 Oct 2021 18:31:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1895A1842A; Thu, 14 Oct 2021 18:31:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 19EIVQxB033257; Thu, 14 Oct 2021 18:31:26 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 19EIVPZp033234; Thu, 14 Oct 2021 18:31:25 GMT (envelope-from git) Date: Thu, 14 Oct 2021 18:31:25 GMT Message-Id: <202110141831.19EIVPZp033234@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: "Bradley T. Hughes" Subject: git: 5cc1cb529d43 - main - security/vuxml: document Node.js October 2021 Security Releases List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bhughes X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 5cc1cb529d439922e254a8f2fb05fcb6af270cc4 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by bhughes: URL: https://cgit.FreeBSD.org/ports/commit/?id=5cc1cb529d439922e254a8f2fb05fcb6af270cc4 commit 5cc1cb529d439922e254a8f2fb05fcb6af270cc4 Author: Bradley T. Hughes AuthorDate: 2021-10-14 18:03:21 +0000 Commit: Bradley T. Hughes CommitDate: 2021-10-14 18:31:11 +0000 security/vuxml: document Node.js October 2021 Security Releases https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/ Sponsored by: Miles AS --- security/vuxml/vuln-2021.xml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 42300253f921..514be5f87788 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,37 @@ + + Node.js -- October 2021 Security Releases + + + node + 16.11.1 + + + node14 + 14.18.1 + + + + +

Node.js reports:

+
+

HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959)

+

The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS).

+

HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960)

+

The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

+
+ +
+ + CVE-2021-22959 + CVE-2021-22960 + https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/ + + + 2021-10-12 + 2021-10-14 + +
+ OpenSSH -- OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand