Navigation:
Browse pkgsrc
(this page)| 2020-01-25 11:45:12 by Jonathan Perkin | Files touched by this commit (24) |
Log message: *: Remove obsolete BUILDLINK_API_DEPENDS.openssl. |
| 2020-01-24 19:58:13 by Adam Ciarcinski | Files touched by this commit (3) |
Log message: nodejs8: cleanup and adopt to the small changes in lang/nodejs/Makefile.common |
| 2020-01-18 22:51:16 by Jonathan Perkin | Files touched by this commit (1836) |
Log message: *: Recursive revision bump for openssl 1.1.1. |
2019-12-29 16:40:32 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message: nodejs8: updated to 8.17.0 Version 8.17.0 'Carbon' (LTS) Notable changes deps: update npm to 6.13.4 |
| 2019-12-09 21:06:43 by Adam Ciarcinski | Files touched by this commit (1) | |
Log message: nodejs8: update Makefile after recent changes to nodejs/Makefile.common |
| 2019-11-24 16:52:13 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message: nodejs8: updated to 8.16.2 Version 8.16.2 'Carbon' (LTS): Notable changes deps: upgrade openssl sources to 1.0.2s Version 8.16.1 'Carbon' (LTS): Notable changes This is a security release. Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See \ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Vulnerabilities fixed: CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data \ from a specified resource over multiple streams. They manipulate window size and \ stream priority to force the server to queue the data in 1-byte chunks. \ Depending on how efficiently this data is queued, this can consume excess CPU, \ memory, or both, potentially leading to a denial of service. CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 \ peer, causing the peer to build an internal queue of responses. Depending on how \ efficiently this data is queued, this can consume excess CPU, memory, or both, \ potentially leading to a denial of service. CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams \ and continually shuffles the priority of the streams in a way that causes \ substantial churn to the priority tree. This can consume excess CPU, potentially \ leading to a denial of service. CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and \ sends an invalid request over each stream that should solicit a stream of \ RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM \ frames, this can consume excess memory, CPU, or both, potentially leading to a \ denial of service. CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS \ frames to the peer. Since the RFC requires that the peer reply with one \ acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent \ in behavior to a ping. Depending on how efficiently this data is queued, this \ can consume excess CPU, memory, or both, potentially leading to a denial of \ service. CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of \ headers with a 0-length header name and 0-length header value, optionally \ Huffman encoded into 1-byte or greater headers. Some implementations allocate \ memory for these headers and keep the allocation alive until the session dies. \ This can consume excess memory, potentially leading to a denial of service. CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 \ window so the peer can send without constraint; however, they leave the TCP \ window closed so the peer cannot actually write (many of) the bytes on the wire. \ The attacker then sends a stream of requests for a large response object. \ Depending on how the servers queue the responses, this can consume excess \ memory, CPU, or both, potentially leading to a denial of service. CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames \ with an empty payload and without the end-of-stream flag. These frames can be \ DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing \ each frame disproportionate to attack bandwidth. This can consume excess CPU, \ potentially leading to a denial of service. Version 8.16.0 'Carbon' (LTS): Notable Changes n-api: add API for asynchronous functions mark thread-safe function as stable |
| 2019-04-03 02:33:20 by Ryo ONODERA | Files touched by this commit (748) |
Log message: Recursive revbump from textproc/icu |
| 2018-12-15 18:27:21 by Maya Rashish | Files touched by this commit (3) |
Log message: nodejs8: don't invert logic for FreeBSD. From Mike Pumford. |
| 2018-12-09 19:52:52 by Adam Ciarcinski | Files touched by this commit (724) |
Log message: revbump after updating textproc/icu |
| 2018-11-05 16:22:33 by Ryo ONODERA | Files touched by this commit (2) |
Log message: Remove incorrect patch. I will investigate the problem later |
New packages: