Apple Xcode < 8.1 Node.js Multiple RCE (macOS)

The version of Apple Xcode installed on the remote macOS or Mac OS X host is prior to 8.1. It is, therefore, affected by multiple remote code execution vulnerabilities in the Node.js component of the Xcode Server. An unauthenticated, remote attacker can exploit these vulnerabilities to cause a...

PoisonTap Steals Cookies, Drops Backdoors From Password Protected Computers

Even locked, password-protected computers are no rival for Samy Kamkar and his seemingly endless parade of gadgets. His latest, PoisonTap, is a $5 Raspberry Pi Zero device running Node.js that’s retrofitted to emulate an Ethernet device over USB. Assuming a victim has left their web browser open,...

Fedora 25 : 1:nodejs (2016-43ff70c6b1)

https://nodejs.org/en/blog/release/v6.7.0/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues...

GATTacker - BLE (Bluetooth Low Energy) Man-in-the-Middle

A Node.js package for BLE Bluetooth Low Energy security assessment using Man-in-the-Middle and other attacks. Prerequisites see: https://github.com/sandeepmistry/noble https://github.com/sandeepmistry/bleno Install npm install gattacker Usage Configure Running both components Set up variables in...

FreeBSD : node.js -- multiple vulnerabilities (27180c99-9b5c-11e6-b799-19bef72f4b7c)

Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x : Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL configuration file, from the OPENSSLCONF environment variable or from the default location for the current platform. Always triggering a...

FreeBSD : node.js -- ares_create_query single byte out of buffer write (28bb6ee5-9b5c-11e6-b799-19bef72f4b7c)

Node.js has released new versions containing the following security fix : The following releases all contain fixes for CVE-2016-5180 'arescreatequery single byte out of buffer write': Node.js v0.10.48 Maintenance, Node.js v0.12.17 Maintenance, Node.js v4.6.1 LTS 'Argon' While this is not a critic...

[SECURITY] Fedora 24 Update: nodejs-4.6.1-6.fc24

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

Apple Patches iTunes, iCloud for Windows, Xcode Server

Apple’s iTunes and iCloud software for Windows PCs received updates on Thursday for vulnerabilities that could allow for the disclosure of personal information and arbitrary code execution. In addition to the Windows fixes, Apple also alerted Mac and iOS app developers to nearly a dozen security...

Netease open source Pomelo game server framework is not authorized to access leads to remote command execution

Pomelo is a piece of Netease open source based on Node.js the game server framework, which is based on Node.js high-performance, distributed game server framework. It includes the basis of the development framework and the associated expansion components, libraries and tools packages, can help sa...

nodejs: reason argument in ServerResponse#writeHead() not properly validated

It was found that the reason argument in ServerResponsewriteHead was not properly validated. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request...

About the security content of Xcode 8.1

About the security content of Xcode 8.1 This document describes the security content of Xcode 8.1. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available...

node.js -- ares_create_query single byte out of buffer write

Node.js has released new versions containing the following security fix: The following releases all contain fixes for CVE-2016-5180 "arescreatequery single byte out of buffer write": Node.js v0.10.48 Maintenance, Node.js v0.12.17 Maintenance, Node.js v4.6.1 LTS "Argon" While this is not a critica...

node.js -- multiple vulnerabilities

Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x: Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL configuration file, from the OPENSSLCONF environment variable or from the default location for the current platform. Always triggering a...

October security releases and v6 LTS "Boron" security inclusions

October security releases and v6 LTS "Boron" security inclusions Update 18-October-2016 Releases available Updates are now available for all active Node.js release lines. The following releases all contain fixes for CVE-2016-5180 "arescreatequery single byte out of buffer write": Node.js v0.10.48...

Joyent Node.js CRLF Injection Vulnerability

Joyent Node.js is the United States Joyent company's set of web applications built on top of the Google V8 JavaScript engine platform. The platform is primarily used for building highly scalable applications and writing code that can handle tens of thousands of simultaneous connections to a singl...

openSUSE Security Update : nodejs (openSUSE-2016-1172)

This update brings the new upstream nodejs LTS version 4.6.0, fixing bugs and security issues : - Nodejs embedded openssl version update + upgrade to 1.0.2j CVE-2016-6304, CVE-2016-2183, CVE-2016-2178, CVE-2016-6306, CVE-2016-7052 + remove support for dynamic 3rd party engine modules - http:...

[SECURITY] Fedora 24 Update: nodejs-4.6.0-5.fc24

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

CVE-2016-7099

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate...

CVE-2016-7099

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate...

Design/Logic Flaw

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate...