(RHSA-2016:1380) Moderate: nodejs010-node-gyp and nodejs010-nodejs-qs security and bug fix update

2016-07-05T09:53:09
ID RHSA-2016:1380
Type redhat
Reporter RedHat
Modified 2018-06-13T01:28:16

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

  • The nodejs-qs module has the ability to create sparse arrays during parsing. By specifying a high index in a querystring parameter it is possible to create a large array that will eventually take up all the allocated memory of the running process, resulting in a crash. (CVE-2014-7191)

Bug Fix(es):

  • A previous patch to the nodejs010-node-gyp RPM package introduced a bug, which caused the node-gyp module to work incorrectly. As a consequence, users were unable to install or build native Node.js modules. A new patch has been applied, the node-gyp module now works as expected, and it no longer affects other modules. (BZ#1255594)

All nodejs010-nodejs-qs and nodejs010-node-gyp users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.