{"id":"MGASA-2017-0204","summary":"Updated nodejs packages fix security vulnerability","details":"Node.js has a defect that may make HTTP response splitting possible\nunder certain circumstances. If user-input is passed to the reason\nargument to writeHead() on an HTTP response, a new-line character may be\nused to inject additional responses (CVE-2016-5325).\n\nThe tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47 does\nnot properly handle wildcards in name fields of X.509 certificates, which\nallows man-in-the-middle attackers to spoof servers via a crafted\ncertificate (CVE-2016-7099).\n","modified":"2026-04-16T01:48:38.988252519Z","published":"2017-07-13T09:10:46Z","upstream":["CVE-2016-5325","CVE-2016-7099"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2017-0204.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=19550"},{"type":"WEB","url":"https://nodejs.org/en/blog/release/v0.10.47/"},{"type":"WEB","url":"https://nodejs.org/en/blog/release/v0.10.48/"},{"type":"WEB","url":"https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/"},{"type":"WEB","url":"https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html"}],"affected":[{"package":{"name":"nodejs","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/nodejs?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.10.48-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0204.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}