Subject: CVS commit: pkgsrc/lang/nodejs10
From: Adam Ciarcinski
Date: 2021-02-24 12:04:35
Message id: 20210224110435.5BF81FA95@cvs.NetBSD.org

Log Message:
nodejs10: updated to 10.24.0

Version 10.24.0 'Dubnium' (LTS)

This is a security release.

Notable changes

Vulnerabilities fixed:

CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource \ 
exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too \ 
many connection attempts with an 'unknownProtocol' are established. This leads \ 
to a leak of file descriptors. If a file descriptor limit is configured on the \ 
system, then the server is unable to accept new connections and prevent the \ 
process also from opening, e.g. a file. If no file descriptor limit is \ 
configured, then this lead to an excessive memory usage and cause the system to \ 
run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the \ 
whitelist includes “localhost6”. When “localhost6” is not present in \ 
/etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over \ 
network. If the attacker controls the victim's DNS server or can spoof its \ 
responses, the DNS rebinding protection can be bypassed by using the \ 
“localhost6” domain. As long as the attacker uses the “localhost6” \ 
domain, they can still apply the attack described in CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js. You \ 
can read more about it in https://www.openssl.org/news/secadv/20210216.txt

Files:
RevisionActionfile
1.21modifypkgsrc/lang/nodejs10/Makefile
1.13modifypkgsrc/lang/nodejs10/distinfo