[Buildroot] [PATCH] package/nodejs: security bump to version 16.18.1
Peter Korsgaard
peter at korsgaard.com
Wed Nov 23 09:45:15 UTC 2022
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issue:
> DNS rebinding in --inspect via invalid octal IP address (Medium) (CVE-2022-43548)
> The Node.js rebinding protector for --inspect still allows invalid IP
> address, specifically, the octal format. An example of an octal IP address
> is 1.09.0.0, the 09 octet is invalid because 9 is not a number in the base 8
> number system. Browsers such as Firefox (tested on latest version m105)
> will still attempt to resolve this invalid octal address via DNS. When
> combined with an active --inspect session, such as when using VSCode, an
> attacker can perform DNS rebinding and execute arbitrary code
> Update license hash for an update of base64 (MIT license) and a change in
> copyright year:
> https://github.com/nodejs/node/commit/8ea9a71b15a953cd0936f7e6aae84c62873a77b5
> https://github.com/nodejs/node/commit/9f14dc1a8f43a9f3755c673009378b798cbdd73b
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2022.08.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list