[Buildroot] [PATCH] nodejs: security bump 0.10.x series to 0.10.48

Peter Korsgaard peter at korsgaard.com
Fri Dec 2 21:11:13 UTC 2016


>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni at free-electrons.com> writes:

 > Hello,
 > On Fri,  2 Dec 2016 21:16:52 +0100, Peter Korsgaard wrote:
 >> c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more
 >> information at https://c-ares.haxx.se/adv_20160929.html

 > Thanks. What about our c-ares package itself?

That one was fixed quite some time ago:

commit 2d199dcff054d22a1ccc730fadfc7543b8c6e8f3
Author: Gustavo Zacarias <gustavo at zacarias.com.ar>
Date:   Wed Oct 12 20:17:17 2016 -0300

    c-ares: security bump to version 1.12.0

    Fixes:
    CVE-2016-5180 - ares_create_query single byte out of buffer write

    Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
    Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

I don't know enough about node to know if it can be convinced to use a
system c-ares instead of the embedded copy. Anyone?

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list