Your message dated Sun, 13 Aug 2017 13:49:42 +0000 with message-id <e1dgtgw-000du6...@fasolo.debian.org> and subject line Bug#863480: fixed in node-static-module 1.5.0-1 has caused the Debian Bug report #863480, regarding [node-static-module] Uninitialized Memory Exposure to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 863480: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863480 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: node-static-module Version: 1.3.1-1 Severity: grave Tags: patch security fixed-upstream X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org forwarded: https://snyk.io/vuln/npm:concat-stream:20160901 concat-stream is writable stream that concatenates strings or binary data and calls a callback with the result. Affected versions of the package are vulnerable to Uninitialized Memory Exposure. A possible memory disclosure vulnerability exists when a value of type number is provided to the stringConcat() method and results in concatination of uninitialized memory to the stream collection. This is a result of unobstructed use of the Buffer constructor, whose insecure default constructor increases the odds of memory leakage. Details Constructing a Buffer class with integer N creates a Buffer of length N with raw (not "zero-ed") memory. In the following example, the first call would allocate 100 bytes of memory, while the second example will allocate the memory needed for the string "100": // uninitialized Buffer of length 100 x = new Buffer(100); // initialized Buffer with value of '100' x = new Buffer('100'); concat-stream's stringConcat function uses the default Buffer constructor as- is, making it easy to append uninitialized memory to an existing list. If the value of the buffer list is exposed to users, it may expose raw server side memory, potentially holding secrets, private data and code. This is a similar vulnerability to the infamous Heartbleed flaw in OpenSSL. You can read more about the insecure Buffer behavior on our blog. Similar vulnerabilities were discovered in request, mongoose, ws and sequelize.
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---Source: node-static-module Source-Version: 1.5.0-1 We believe that the bug you reported is fixed in the latest version of node-static-module, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 863...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bastien Roucariès <ro...@debian.org> (supplier of updated node-static-module package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 27 May 2017 16:29:32 +0200 Source: node-static-module Binary: node-static-module Architecture: source Version: 1.5.0-1 Distribution: unstable Urgency: high Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Bastien Roucariès <ro...@debian.org> Description: node-static-module - convert module usage to inline expressions Closes: 863480 Changes: node-static-module (1.5.0-1) unstable; urgency=high . * Security bug fix: Uninitialized Memory Exposure (Closes: #863480). Checksums-Sha1: c03bfadef6e44a1b539cc404b1c3e4e69359d043 2758 node-static-module_1.5.0-1.dsc 4a768c9deb5abe7af2f8d8a1b86e69ccf88ff0d2 10219 node-static-module_1.5.0.orig.tar.gz 1d2264845a295787507e64104c3a653852b5e18d 4000 node-static-module_1.5.0-1.debian.tar.xz 16d8dab09ed2cdcb9dca3e6e949e51ab9dfa926d 6894 node-static-module_1.5.0-1_source.buildinfo Checksums-Sha256: f0dc30dd0d921c87ac10bb498d72dc58fb930a2d7e54dea1f9392875a9a21802 2758 node-static-module_1.5.0-1.dsc 3b089685081d2380d06f0eff90be3eecb2c3d9f840139f25d2b332b07b0f9779 10219 node-static-module_1.5.0.orig.tar.gz 7667491a46aac6c67218b5a2892392a7fef2ea99a16e5e1143beec1ea30a7463 4000 node-static-module_1.5.0-1.debian.tar.xz e5934ae1145ffcc3b59afea264e9c4ab41daf76fd814ff4bd339a8e4268ba6de 6894 node-static-module_1.5.0-1_source.buildinfo Files: 0a517e39c42d2416de5f16be949ee5da 2758 web optional node-static-module_1.5.0-1.dsc b03492be9cb98c8eb7a0d5662c76349c 10219 web optional node-static-module_1.5.0.orig.tar.gz a38fe095807aec621c1c7bde82bb7945 4000 web optional node-static-module_1.5.0-1.debian.tar.xz d7c7e652689539ffc870be6df83e73f4 6894 web optional node-static-module_1.5.0-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlmQU7kACgkQADoaLapB CF/jkg//fpb8V8q27NJwaRXoY0T0IuSsl6NmnFBUDSfxzVzh+cYpA3XAdY4RWN7Z k1bGvp4I5dLFpuQJyx8bt26a/qjkUm6hfYnuEUG0sETiJOTNse0mRrbVqDQ21rlU bNPlpwItrSbCx6LQAmUKnWXWPJEU0Ux/3VnZnFz+vEKeHSyEJ2q3AdZ5oIuUTvll InOECfe9OLTDg6MG7lQ/8W6aFlbVE6G6uu/Ii2ofga0qq6yy2rnOnBEVoZB4zLiy em3Vhi/KEcSIUYhZpPpQn25Xei9h1uSz0ikDX/ijeOOq2IMUDu6SY+0RoNeU/cIv zqB0GKVKcIeOvkJa9ZtfJHfbAg3dvhoHvAmlviRMz/KbnQ/y6zlv+MO7tIyNJ9Gq 2WwXj49SIqa03Fs/K28RMuyxXQvJrLkBJZBXJpHGDcrYuWQXAQVpv3wDiCMBjCk+ AAXk6jwqlpZuUkxq6efB6A3KOutWPZAW+7vVbMUwQPChDReejbimvUl4WsBuhrpm 8/2kP+KIV7wJomZAEaNGQLiDeK5Id6jkOpPh/AQRhXZoVJMaHoFc8eq2bcpjNvqm o7K/hnEXO/OPAZANFCgziRx7yK0/bSG94G4TKsyJQKrpqIVJN6wCZnXeOl0XFGRl FvHAEvJP2lYrc45V/PY4EKh//dmnTayOC2PZzr1U1v7/ozNInLw= =+ApZ -----END PGP SIGNATURE-----
--- End Message ---
