You are here
Home > Preporuke > Ranjivost programskih paketa nodejs i libuv

Ranjivost programskih paketa nodejs i libuv

——————————————————————————–
Fedora Update Notification
FEDORA-2014-15411
2014-11-20 08:43:26
——————————————————————————–

Name : nodejs
Product : Fedora 21
Version : 0.10.33
Release : 1.fc21
URL : http://nodejs.org/
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome’s JavaScript runtime
for easily building fast, scalable network applications.
Node.js uses an event-driven, non-blocking I/O model that
makes it lightweight and efficient, perfect for data-intensive
real-time applications that run across distributed devices.

——————————————————————————–
Update Information:

This release handles the recent POODLE vulnerability by disabling SSLv2/SSLv3
by default for the most predominate uses of TLS in Node.js.

It took longer than expected to get this release accomplished in a way that
would provide appropriate default security settings, while minimizing the
surface area for the behavior change we were introducing. It was also important
that we validated that our changes were being applied in the variety of
configurations we support in our APIs.

With this release, we are confident that the only behavior change is that of
the default allowed protocols do not include SSLv2 or SSLv3. Though you are
still able to programatically consume those protocols if necessary.

Included is the documentation that you can find at
https://nodejs.org/api/tls.html#tls_protocol_support that describes how this
works going forward for client and server implementations.

Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these
protocols are **disabled**. They are considered insecure and could be easily
compromised as was shown by CVE-2014-3566. However, in some situations, it
may cause problems with legacy clients/servers (such as Internet Explorer 6).
If you wish to enable SSLv2 or SSLv3, run node with the `–enable-ssl2` or
`–enable-ssl3` flag respectively. In future versions of Node.js SSLv2 and
SSLv3 will not be compiled in by default.

There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly
specifying `secureProtocol` to `’SSLv3_method’` or `’SSLv2_method’`.

The default protocol method Node.js uses is `SSLv23_method` which would be more
accurately named `AutoNegotiate_method`. This method will try and negotiate
from the highest level down to whatever the client supports. To provide a
secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3
and SSLv2 by setting the `secureOptions` to be
`SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed
`–enable-ssl3`, or `–enable-ssl2`, or `SSLv3_method` as `secureProtocol`).

If you have set `securityOptions` to anything, we will not override your
options.

The ramifications of this behavior change:

* If your application is behaving as a secure server, clients who are `SSLv3`
only will now not be able to appropriately negotiate a connection and will be
refused. In this case your server will emit a `clientError` event. The error
message will include `’wrong version number’`.
* If your application is behaving as a secure client and communicating with a
server that doesn’t support methods more secure than SSLv3 then your connection
won’t be able to negotiate and will fail. In this case your client will emit a
an `error` event. The error message will include `’wrong version number’`.

2014.10.20, node.js Version 0.10.33 (Stable)

* child_process: properly support optional args (cjihrig)

* crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)

This is a behavior change, by default we will not allow the negotiation to
SSLv2 or SSLv3. If you want this behavior, run Node.js with either
`–enable-ssl2` or `–enable-ssl3` respectively.

This does not change the behavior for users specifically requesting
`SSLv2_method` or `SSLv3_method`. While this behavior is not advised, it is
assumed you know what you’re doing since you’re specifically asking to use
these methods.

2014.10.21, libuv Version 0.10.29 (Stable)

Relevant changes since version 0.10.28:

* linux: try epoll_pwait if epoll_wait is missing (Michael Hudson-Doyle)

——————————————————————————–
ChangeLog:

* Wed Nov 19 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.33-1
– new upstream release 0.10.33
http://blog.nodejs.org/2014/10/23/node-v0-10-33-stable/
– This release disables SSLv3 to secure Node.js services against the POODLE
attack. (CVE-2014-3566; RHBZ#1152789) For more information or to learn how
to re-enable SSLv3 in order to support legacy clients, please see the upstream
release announcement linked above.
* Tue Oct 21 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.32-2
– add Provides nodejs-punycode (RHBZ#1151811)
——————————————————————————–
References:

[ 1 ] Bug #1152789 – CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
https://bugzilla.redhat.com/show_bug.cgi?id=1152789
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update nodejs’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-15379
2014-11-19 15:12:12
——————————————————————————–

Name : nodejs
Product : Fedora 20
Version : 0.10.33
Release : 1.fc20
URL : http://nodejs.org/
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome’s JavaScript runtime
for easily building fast, scalable network applications.
Node.js uses an event-driven, non-blocking I/O model that
makes it lightweight and efficient, perfect for data-intensive
real-time applications that run across distributed devices.

——————————————————————————–
Update Information:

This release handles the recent POODLE vulnerability by disabling SSLv2/SSLv3
by default for the most predominate uses of TLS in Node.js.

It took longer than expected to get this release accomplished in a way that
would provide appropriate default security settings, while minimizing the
surface area for the behavior change we were introducing. It was also important
that we validated that our changes were being applied in the variety of
configurations we support in our APIs.

With this release, we are confident that the only behavior change is that of
the default allowed protocols do not include SSLv2 or SSLv3. Though you are
still able to programatically consume those protocols if necessary.

Included is the documentation that you can find at
https://nodejs.org/api/tls.html#tls_protocol_support that describes how this
works going forward for client and server implementations.

Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these
protocols are **disabled**. They are considered insecure and could be easily
compromised as was shown by CVE-2014-3566. However, in some situations, it
may cause problems with legacy clients/servers (such as Internet Explorer 6).
If you wish to enable SSLv2 or SSLv3, run node with the `–enable-ssl2` or
`–enable-ssl3` flag respectively. In future versions of Node.js SSLv2 and
SSLv3 will not be compiled in by default.

There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly
specifying `secureProtocol` to `’SSLv3_method’` or `’SSLv2_method’`.

The default protocol method Node.js uses is `SSLv23_method` which would be more
accurately named `AutoNegotiate_method`. This method will try and negotiate
from the highest level down to whatever the client supports. To provide a
secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3
and SSLv2 by setting the `secureOptions` to be
`SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed
`–enable-ssl3`, or `–enable-ssl2`, or `SSLv3_method` as `secureProtocol`).

If you have set `securityOptions` to anything, we will not override your
options.

The ramifications of this behavior change:

* If your application is behaving as a secure server, clients who are `SSLv3`
only will now not be able to appropriately negotiate a connection and will be
refused. In this case your server will emit a `clientError` event. The error
message will include `’wrong version number’`.
* If your application is behaving as a secure client and communicating with a
server that doesn’t support methods more secure than SSLv3 then your connection
won’t be able to negotiate and will fail. In this case your client will emit a
an `error` event. The error message will include `’wrong version number’`.

2014.10.20, node.js Version 0.10.33 (Stable)

* child_process: properly support optional args (cjihrig)

* crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)

This is a behavior change, by default we will not allow the negotiation to
SSLv2 or SSLv3. If you want this behavior, run Node.js with either
`–enable-ssl2` or `–enable-ssl3` respectively.

This does not change the behavior for users specifically requesting
`SSLv2_method` or `SSLv3_method`. While this behavior is not advised, it is
assumed you know what you’re doing since you’re specifically asking to use
these methods.

2014.10.21, libuv Version 0.10.29 (Stable)

Relevant changes since version 0.10.28:

* linux: try epoll_pwait if epoll_wait is missing (Michael Hudson-Doyle)

——————————————————————————–
ChangeLog:

* Wed Nov 19 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.33-1
– new upstream release 0.10.33
http://blog.nodejs.org/2014/10/23/node-v0-10-33-stable/
– This release disables SSLv3 to secure Node.js services against the POODLE
attack. (CVE-2014-3566; RHBZ#1152789) For more information or to learn how
to re-enable SSLv3 in order to support legacy clients, please see the upstream
release announcement linked above.
* Tue Oct 21 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.32-2
– add Provides nodejs-punycode (RHBZ#1151811)
* Thu Sep 18 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.32-1
– new upstream release 0.10.32
http://blog.nodejs.org/2014/08/19/node-v0-10-31-stable/
http://blog.nodejs.org/2014/09/16/node-v0-10-32-stable/
* Fri Aug 1 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.30-1
– new upstream release 0.10.30
http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/
* Thu Jun 19 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.29-1
– new upstream release 0.10.29
http://blog.nodejs.org/2014/06/16/node-v0-10-29-stable/
– The invalid UTF8 fix has been reverted since this breaks v8 API, which cannot
be done in a stable distribution release. This build of nodejs will behave as
if NODE_INVALID_UTF8 was set. For more information on the implications, see:
http://blog.nodejs.org/2014/06/16/openssl-and-breaking-utf-8-change/
* Sat May 3 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.28-1
– new upstream release 0.10.28
There is no dfference between 0.10.27 and 0.10.28 for Fedora, as the only
thing updated was npm, which is shipped seperately. The latest was only
packaged to avoid confusion. Please see the v0.10.27 changelog for relevant
changes in this update:
http://blog.nodejs.org/2014/05/01/node-v0-10-27-stable/
* Thu Feb 20 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.26-1
– new upstream release 0.10.26
http://blog.nodejs.org/2014/02/18/node-v0-10-26-stable/
* Fri Feb 14 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.25-2
– rebuild for icu-53 (via v8)
* Mon Jan 27 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.25-1
– new upstream release 0.10.25
http://blog.nodejs.org/2014/01/23/node-v0-10-25-stable/
* Thu Dec 19 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.24-1
– new upstream release 0.10.24
http://blog.nodejs.org/2013/12/19/node-v0-10-24-stable/
– upstream install script installs the headers now
* Thu Dec 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.23-1
– new upstream release 0.10.23
http://blog.nodejs.org/2013/12/11/node-v0-10-23-stable/
* Tue Nov 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.22-1
– new upstream release 0.10.22
http://blog.nodejs.org/2013/11/12/node-v0-10-22-stable/
——————————————————————————–
References:

[ 1 ] Bug #1152789 – CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
https://bugzilla.redhat.com/show_bug.cgi?id=1152789
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update nodejs’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-15390
2014-11-19 15:12:44
——————————————————————————–

Name : nodejs
Product : Fedora 19
Version : 0.10.33
Release : 1.fc19
URL : http://nodejs.org/
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome’s JavaScript runtime
for easily building fast, scalable network applications.
Node.js uses an event-driven, non-blocking I/O model that
makes it lightweight and efficient, perfect for data-intensive
real-time applications that run across distributed devices.

——————————————————————————–
Update Information:

This release handles the recent POODLE vulnerability by disabling SSLv2/SSLv3
by default for the most predominate uses of TLS in Node.js.

It took longer than expected to get this release accomplished in a way that
would provide appropriate default security settings, while minimizing the
surface area for the behavior change we were introducing. It was also important
that we validated that our changes were being applied in the variety of
configurations we support in our APIs.

With this release, we are confident that the only behavior change is that of
the default allowed protocols do not include SSLv2 or SSLv3. Though you are
still able to programatically consume those protocols if necessary.

Included is the documentation that you can find at
https://nodejs.org/api/tls.html#tls_protocol_support that describes how this
works going forward for client and server implementations.

Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these
protocols are **disabled**. They are considered insecure and could be easily
compromised as was shown by CVE-2014-3566. However, in some situations, it
may cause problems with legacy clients/servers (such as Internet Explorer 6).
If you wish to enable SSLv2 or SSLv3, run node with the `–enable-ssl2` or
`–enable-ssl3` flag respectively. In future versions of Node.js SSLv2 and
SSLv3 will not be compiled in by default.

There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly
specifying `secureProtocol` to `’SSLv3_method’` or `’SSLv2_method’`.

The default protocol method Node.js uses is `SSLv23_method` which would be more
accurately named `AutoNegotiate_method`. This method will try and negotiate
from the highest level down to whatever the client supports. To provide a
secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3
and SSLv2 by setting the `secureOptions` to be
`SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed
`–enable-ssl3`, or `–enable-ssl2`, or `SSLv3_method` as `secureProtocol`).

If you have set `securityOptions` to anything, we will not override your
options.

The ramifications of this behavior change:

* If your application is behaving as a secure server, clients who are `SSLv3`
only will now not be able to appropriately negotiate a connection and will be
refused. In this case your server will emit a `clientError` event. The error
message will include `’wrong version number’`.
* If your application is behaving as a secure client and communicating with a
server that doesn’t support methods more secure than SSLv3 then your connection
won’t be able to negotiate and will fail. In this case your client will emit a
an `error` event. The error message will include `’wrong version number’`.

2014.10.20, node.js Version 0.10.33 (Stable)

* child_process: properly support optional args (cjihrig)

* crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)

This is a behavior change, by default we will not allow the negotiation to
SSLv2 or SSLv3. If you want this behavior, run Node.js with either
`–enable-ssl2` or `–enable-ssl3` respectively.

This does not change the behavior for users specifically requesting
`SSLv2_method` or `SSLv3_method`. While this behavior is not advised, it is
assumed you know what you’re doing since you’re specifically asking to use
these methods.

2014.10.21, libuv Version 0.10.29 (Stable)

Relevant changes since version 0.10.28:

* linux: try epoll_pwait if epoll_wait is missing (Michael Hudson-Doyle)

——————————————————————————–
ChangeLog:

* Wed Nov 19 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.33-1
– new upstream release 0.10.33
http://blog.nodejs.org/2014/10/23/node-v0-10-33-stable/
– This release disables SSLv3 to secure Node.js services against the POODLE
attack. (CVE-2014-3566; RHBZ#1152789) For more information or to learn how
to re-enable SSLv3 in order to support legacy clients, please see the upstream
release announcement linked above.
* Tue Oct 21 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.32-2
– add Provides nodejs-punycode (RHBZ#1151811)
* Thu Sep 18 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.32-1
– new upstream release 0.10.32
http://blog.nodejs.org/2014/08/19/node-v0-10-31-stable/
http://blog.nodejs.org/2014/09/16/node-v0-10-32-stable/
* Fri Aug 1 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.30-1
– new upstream release 0.10.30
http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/
* Thu Jun 19 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.29-1
– new upstream release 0.10.29
http://blog.nodejs.org/2014/06/16/node-v0-10-29-stable/
– The invalid UTF8 fix has been reverted since this breaks v8 API, which cannot
be done in a stable distribution release. This build of nodejs will behave as
if NODE_INVALID_UTF8 was set. For more information on the implications, see:
http://blog.nodejs.org/2014/06/16/openssl-and-breaking-utf-8-change/
* Sat May 3 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.28-1
– new upstream release 0.10.28
There is no dfference between 0.10.27 and 0.10.28 for Fedora, as the only
thing updated was npm, which is shipped seperately. The latest was only
packaged to avoid confusion. Please see the v0.10.27 changelog for relevant
changes in this update:
http://blog.nodejs.org/2014/05/01/node-v0-10-27-stable/
* Thu Feb 20 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.26-1
– new upstream release 0.10.26
http://blog.nodejs.org/2014/02/18/node-v0-10-26-stable/
* Mon Jan 27 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.25-1
– new upstream release 0.10.25
http://blog.nodejs.org/2014/01/23/node-v0-10-25-stable/
* Thu Dec 19 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.24-1
– new upstream release 0.10.24
http://blog.nodejs.org/2013/12/19/node-v0-10-24-stable/
– upstream install script installs the headers now
* Thu Dec 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.23-1
– new upstream release 0.10.23
http://blog.nodejs.org/2013/12/11/node-v0-10-23-stable/
* Tue Nov 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.22-1
– new upstream release 0.10.22
http://blog.nodejs.org/2013/11/12/node-v0-10-22-stable/
* Fri Oct 18 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.21-1
– new upstream release 0.10.21
http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/
– resolves an undisclosed security vulnerability in the http module
* Tue Oct 1 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.20-1
– new upstream release 0.10.20
http://blog.nodejs.org/2013/09/30/node-v0-10-20-stable/
* Wed Sep 25 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.19-1
– new upstream release 0.10.19
http://blog.nodejs.org/2013/09/24/node-v0-10-19-stable/
* Fri Sep 6 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.18-1
– new upstream release 0.10.18
http://blog.nodejs.org/2013/09/04/node-v0-10-18-stable/
* Tue Aug 27 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.17-1
– new upstream release 0.10.17
http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/
* Sat Aug 17 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.16-1
– new upstream release 0.10.16
http://blog.nodejs.org/2013/08/16/node-v0-10-16-stable/
– add v8-devel to -devel Requires
– restrict -devel Requires to the same architecture
* Wed Aug 14 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.14-3
– fix typo in _isa macro in v8 Requires
* Thu Jul 25 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.14-1
– new upstream release 0.10.14
http://blog.nodejs.org/2013/07/25/node-v0-10-14-stable/
* Wed Jul 10 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.13-1
– new upstream release 0.10.13
http://blog.nodejs.org/2013/07/09/node-v0-10-13-stable/
– remove RPM macros, etc. now that they’ve migrated to nodejs-packaging
* Wed Jun 19 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 0.10.12-1
– new upstream release 0.10.12
http://blog.nodejs.org/2013/06/18/node-v0-10-12-stable/
– split off a -packaging subpackage with RPM macros, etc.
– build -docs as noarch
– copy mutiple version logic from nodejs-packaging SRPM for now
——————————————————————————–
References:

[ 1 ] Bug #1152789 – CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
https://bugzilla.redhat.com/show_bug.cgi?id=1152789
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update nodejs’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

 

 

 

——————————————————————————–
Fedora Update Notification
FEDORA-2014-15390
2014-11-19 15:12:44
——————————————————————————–

Name : libuv
Product : Fedora 19
Version : 0.10.29
Release : 1.fc19
URL : http://nodejs.org/
Summary : Platform layer for node.js
Description :
libuv is a new platform layer for Node. Its purpose is to abstract IOCP on
Windows and libev on Unix systems. We intend to eventually contain all platform
differences in this library.

——————————————————————————–
Update Information:

This release handles the recent POODLE vulnerability by disabling SSLv2/SSLv3
by default for the most predominate uses of TLS in Node.js.

It took longer than expected to get this release accomplished in a way that
would provide appropriate default security settings, while minimizing the
surface area for the behavior change we were introducing. It was also important
that we validated that our changes were being applied in the variety of
configurations we support in our APIs.

With this release, we are confident that the only behavior change is that of
the default allowed protocols do not include SSLv2 or SSLv3. Though you are
still able to programatically consume those protocols if necessary.

Included is the documentation that you can find at
https://nodejs.org/api/tls.html#tls_protocol_support that describes how this
works going forward for client and server implementations.

Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these
protocols are **disabled**. They are considered insecure and could be easily
compromised as was shown by CVE-2014-3566. However, in some situations, it
may cause problems with legacy clients/servers (such as Internet Explorer 6).
If you wish to enable SSLv2 or SSLv3, run node with the `–enable-ssl2` or
`–enable-ssl3` flag respectively. In future versions of Node.js SSLv2 and
SSLv3 will not be compiled in by default.

There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly
specifying `secureProtocol` to `’SSLv3_method’` or `’SSLv2_method’`.

The default protocol method Node.js uses is `SSLv23_method` which would be more
accurately named `AutoNegotiate_method`. This method will try and negotiate
from the highest level down to whatever the client supports. To provide a
secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3
and SSLv2 by setting the `secureOptions` to be
`SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed
`–enable-ssl3`, or `–enable-ssl2`, or `SSLv3_method` as `secureProtocol`).

If you have set `securityOptions` to anything, we will not override your
options.

The ramifications of this behavior change:

* If your application is behaving as a secure server, clients who are `SSLv3`
only will now not be able to appropriately negotiate a connection and will be
refused. In this case your server will emit a `clientError` event. The error
message will include `’wrong version number’`.
* If your application is behaving as a secure client and communicating with a
server that doesn’t support methods more secure than SSLv3 then your connection
won’t be able to negotiate and will fail. In this case your client will emit a
an `error` event. The error message will include `’wrong version number’`.

2014.10.20, node.js Version 0.10.33 (Stable)

* child_process: properly support optional args (cjihrig)

* crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)

This is a behavior change, by default we will not allow the negotiation to
SSLv2 or SSLv3. If you want this behavior, run Node.js with either
`–enable-ssl2` or `–enable-ssl3` respectively.

This does not change the behavior for users specifically requesting
`SSLv2_method` or `SSLv3_method`. While this behavior is not advised, it is
assumed you know what you’re doing since you’re specifically asking to use
these methods.

2014.10.21, libuv Version 0.10.29 (Stable)

Relevant changes since version 0.10.28:

* linux: try epoll_pwait if epoll_wait is missing (Michael Hudson-Doyle)

——————————————————————————–
ChangeLog:

* Wed Nov 19 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.29-1
– new upstream release 0.10.29
https://github.com/joyent/libuv/blob/v0.10.29/ChangeLog
* Fri Aug 1 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.28-1
– new upstream release 0.10.28
https://github.com/joyent/libuv/blob/v0.10.28/ChangeLog
* Thu Jul 3 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.27-3
– build static library for rust (RHBZ#1115975)
* Sat Jun 7 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 1:0.10.27-2
– Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Fri May 2 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.27-1
– new upstream release 0.10.27
https://github.com/joyent/libuv/blob/v0.10.27/ChangeLog
* Thu Feb 20 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.25-1
– new upstream release 0.10.25
https://github.com/joyent/libuv/blob/v0.10.25/ChangeLog
* Mon Jan 27 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.23-1
– new upstream release 0.10.23
https://github.com/joyent/libuv/blob/v0.10.23/ChangeLog
* Thu Dec 19 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.21-1
– new upstream release 0.10.21
https://github.com/joyent/libuv/blob/v0.10.21/ChangeLog
* Thu Dec 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.20-1
– new upstream release 0.10.20
https://github.com/joyent/libuv/blob/v0.10.20/ChangeLog
* Tue Nov 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.19-1
– new upstream release 0.10.19
https://github.com/joyent/libuv/blob/v0.10.19/ChangeLog
* Fri Oct 18 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.18-1
– new upstream release 0.10.18
https://github.com/joyent/libuv/blob/v0.10.18/ChangeLog
* Wed Sep 25 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.17-1
– new upstream release 0.10.17
https://github.com/joyent/libuv/blob/v0.10.17/ChangeLog
* Fri Sep 6 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.15-1
– new upstream release 0.10.15
https://github.com/joyent/libuv/blob/v0.10.15/ChangeLog
* Tue Aug 27 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.14-1
– new upstream release 0.10.14
https://github.com/joyent/libuv/blob/v0.10.14/ChangeLog
* Thu Jul 25 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.13-1
– new upstream release 0.10.13
https://github.com/joyent/libuv/blob/v0.10.13/ChangeLog
* Wed Jul 10 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.12-1
– new upstream release 0.10.12
* Wed Jun 19 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.11-1
– new upstream release 0.10.11
——————————————————————————–
References:

[ 1 ] Bug #1152789 – CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
https://bugzilla.redhat.com/show_bug.cgi?id=1152789
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update libuv’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

 

 

 

 

——————————————————————————–
Fedora Update Notification
FEDORA-2014-15379
2014-11-19 15:12:12
——————————————————————————–

Name : libuv
Product : Fedora 20
Version : 0.10.29
Release : 1.fc20
URL : http://nodejs.org/
Summary : Platform layer for node.js
Description :
libuv is a new platform layer for Node. Its purpose is to abstract IOCP on
Windows and libev on Unix systems. We intend to eventually contain all platform
differences in this library.

——————————————————————————–
Update Information:

This release handles the recent POODLE vulnerability by disabling SSLv2/SSLv3
by default for the most predominate uses of TLS in Node.js.

It took longer than expected to get this release accomplished in a way that
would provide appropriate default security settings, while minimizing the
surface area for the behavior change we were introducing. It was also important
that we validated that our changes were being applied in the variety of
configurations we support in our APIs.

With this release, we are confident that the only behavior change is that of
the default allowed protocols do not include SSLv2 or SSLv3. Though you are
still able to programatically consume those protocols if necessary.

Included is the documentation that you can find at
https://nodejs.org/api/tls.html#tls_protocol_support that describes how this
works going forward for client and server implementations.

Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these
protocols are **disabled**. They are considered insecure and could be easily
compromised as was shown by CVE-2014-3566. However, in some situations, it
may cause problems with legacy clients/servers (such as Internet Explorer 6).
If you wish to enable SSLv2 or SSLv3, run node with the `–enable-ssl2` or
`–enable-ssl3` flag respectively. In future versions of Node.js SSLv2 and
SSLv3 will not be compiled in by default.

There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly
specifying `secureProtocol` to `’SSLv3_method’` or `’SSLv2_method’`.

The default protocol method Node.js uses is `SSLv23_method` which would be more
accurately named `AutoNegotiate_method`. This method will try and negotiate
from the highest level down to whatever the client supports. To provide a
secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3
and SSLv2 by setting the `secureOptions` to be
`SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed
`–enable-ssl3`, or `–enable-ssl2`, or `SSLv3_method` as `secureProtocol`).

If you have set `securityOptions` to anything, we will not override your
options.

The ramifications of this behavior change:

* If your application is behaving as a secure server, clients who are `SSLv3`
only will now not be able to appropriately negotiate a connection and will be
refused. In this case your server will emit a `clientError` event. The error
message will include `’wrong version number’`.
* If your application is behaving as a secure client and communicating with a
server that doesn’t support methods more secure than SSLv3 then your connection
won’t be able to negotiate and will fail. In this case your client will emit a
an `error` event. The error message will include `’wrong version number’`.

2014.10.20, node.js Version 0.10.33 (Stable)

* child_process: properly support optional args (cjihrig)

* crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)

This is a behavior change, by default we will not allow the negotiation to
SSLv2 or SSLv3. If you want this behavior, run Node.js with either
`–enable-ssl2` or `–enable-ssl3` respectively.

This does not change the behavior for users specifically requesting
`SSLv2_method` or `SSLv3_method`. While this behavior is not advised, it is
assumed you know what you’re doing since you’re specifically asking to use
these methods.

2014.10.21, libuv Version 0.10.29 (Stable)

Relevant changes since version 0.10.28:

* linux: try epoll_pwait if epoll_wait is missing (Michael Hudson-Doyle)

——————————————————————————–
ChangeLog:

* Wed Nov 19 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.29-1
– new upstream release 0.10.29
https://github.com/joyent/libuv/blob/v0.10.29/ChangeLog
* Fri Aug 1 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.28-1
– new upstream release 0.10.28
https://github.com/joyent/libuv/blob/v0.10.28/ChangeLog
* Thu Jul 3 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.27-3
– build static library for rust (RHBZ#1115975)
* Sat Jun 7 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 1:0.10.27-2
– Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Fri May 2 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.27-1
– new upstream release 0.10.27
https://github.com/joyent/libuv/blob/v0.10.27/ChangeLog
* Thu Feb 20 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.25-1
– new upstream release 0.10.25
https://github.com/joyent/libuv/blob/v0.10.25/ChangeLog
* Mon Jan 27 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.23-1
– new upstream release 0.10.23
https://github.com/joyent/libuv/blob/v0.10.23/ChangeLog
* Thu Dec 19 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.21-1
– new upstream release 0.10.21
https://github.com/joyent/libuv/blob/v0.10.21/ChangeLog
* Thu Dec 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.20-1
– new upstream release 0.10.20
https://github.com/joyent/libuv/blob/v0.10.20/ChangeLog
* Tue Nov 12 2013 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.19-1
– new upstream release 0.10.19
https://github.com/joyent/libuv/blob/v0.10.19/ChangeLog
——————————————————————————–
References:

[ 1 ] Bug #1152789 – CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
https://bugzilla.redhat.com/show_bug.cgi?id=1152789
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update libuv’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

 

 

 

 

——————————————————————————–
Fedora Update Notification
FEDORA-2014-15411
2014-11-20 08:43:26
——————————————————————————–

Name : libuv
Product : Fedora 21
Version : 0.10.29
Release : 1.fc21
URL : http://nodejs.org/
Summary : Platform layer for node.js
Description :
libuv is a new platform layer for Node. Its purpose is to abstract IOCP on
Windows and libev on Unix systems. We intend to eventually contain all platform
differences in this library.

——————————————————————————–
Update Information:

This release handles the recent POODLE vulnerability by disabling SSLv2/SSLv3
by default for the most predominate uses of TLS in Node.js.

It took longer than expected to get this release accomplished in a way that
would provide appropriate default security settings, while minimizing the
surface area for the behavior change we were introducing. It was also important
that we validated that our changes were being applied in the variety of
configurations we support in our APIs.

With this release, we are confident that the only behavior change is that of
the default allowed protocols do not include SSLv2 or SSLv3. Though you are
still able to programatically consume those protocols if necessary.

Included is the documentation that you can find at
https://nodejs.org/api/tls.html#tls_protocol_support that describes how this
works going forward for client and server implementations.

Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these
protocols are **disabled**. They are considered insecure and could be easily
compromised as was shown by CVE-2014-3566. However, in some situations, it
may cause problems with legacy clients/servers (such as Internet Explorer 6).
If you wish to enable SSLv2 or SSLv3, run node with the `–enable-ssl2` or
`–enable-ssl3` flag respectively. In future versions of Node.js SSLv2 and
SSLv3 will not be compiled in by default.

There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly
specifying `secureProtocol` to `’SSLv3_method’` or `’SSLv2_method’`.

The default protocol method Node.js uses is `SSLv23_method` which would be more
accurately named `AutoNegotiate_method`. This method will try and negotiate
from the highest level down to whatever the client supports. To provide a
secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3
and SSLv2 by setting the `secureOptions` to be
`SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed
`–enable-ssl3`, or `–enable-ssl2`, or `SSLv3_method` as `secureProtocol`).

If you have set `securityOptions` to anything, we will not override your
options.

The ramifications of this behavior change:

* If your application is behaving as a secure server, clients who are `SSLv3`
only will now not be able to appropriately negotiate a connection and will be
refused. In this case your server will emit a `clientError` event. The error
message will include `’wrong version number’`.
* If your application is behaving as a secure client and communicating with a
server that doesn’t support methods more secure than SSLv3 then your connection
won’t be able to negotiate and will fail. In this case your client will emit a
an `error` event. The error message will include `’wrong version number’`.

2014.10.20, node.js Version 0.10.33 (Stable)

* child_process: properly support optional args (cjihrig)

* crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)

This is a behavior change, by default we will not allow the negotiation to
SSLv2 or SSLv3. If you want this behavior, run Node.js with either
`–enable-ssl2` or `–enable-ssl3` respectively.

This does not change the behavior for users specifically requesting
`SSLv2_method` or `SSLv3_method`. While this behavior is not advised, it is
assumed you know what you’re doing since you’re specifically asking to use
these methods.

2014.10.21, libuv Version 0.10.29 (Stable)

Relevant changes since version 0.10.28:

* linux: try epoll_pwait if epoll_wait is missing (Michael Hudson-Doyle)

——————————————————————————–
ChangeLog:

* Wed Nov 19 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> – 1:0.10.29-1
– new upstream release 0.10.29
https://github.com/joyent/libuv/blob/v0.10.29/ChangeLog
——————————————————————————–
References:

[ 1 ] Bug #1152789 – CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
https://bugzilla.redhat.com/show_bug.cgi?id=1152789
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update libuv’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

 

 

 

Top
More in Preporuke
Sigurnosni nedostaci programskog paketa MCollective

Otkriveni su sigurnosni nedostaci u programskom paketu MCollective za operacijski sustav Gentoo. Otkriveni nedostaci potencijalnim napadačima omogućuju izvršavanje proizvoljnog programskog...

Close