Bug 1306200 (CVE-2016-2086)

Summary: CVE-2016-2086 nodejs: Request smuggling vulnerability
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, abhgupta, ahardin, apevec, ayoung, bleanhar, bmontgom, cbuissar, ccoleman, chrisw, cvsbot-xmlrpc, dallan, dbaker, dedgar, dmcphers, eparis, gkotton, hhorak, jburrell, jgoulding, jialiu, jjoyce, jkeck, joelsmith, jokerman, jorton, jschluet, kbasil, lhh, lmeyer, lpeer, markmc, mchappel, mmaslano, mmccomas, mrunge, nodejs-maint, nodejs-sig, nstielau, rbryant, sclewis, sgallagh, sponnaga, srevivo, tchollingsworth, tdawson, tdecacqu, thrcka, tiwillia, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs 0.10.42, nodejs 0.12.10, nodejs 4.3.0, nodejs 5.6.0 Doc Type: Bug Fix
Doc Text:
It was found that nodejs http-parser http_parser_execute() function did not properly followed HTTP header specifications. An attacker could send an HTTP request with a specially crafted header and cause a HTTP smuggling attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-20 21:15:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1306206, 1306207, 1306208, 1417959, 1417960    
Bug Blocks: 1306204    

Description Adam Mariš 2016-02-10 10:11:08 UTC 
A request smuggling vulnerability was found in Node.js that can be exploited under certain unspecified circumstances.

External Reference:

https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
Comment 2 Adam Mariš 2016-02-10 10:27:13 UTC 
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1306207]
Affects: epel-all [bug 1306208]
Comment 5 Fedora Update System 2016-02-15 02:50:16 UTC 
nodejs-0.10.42-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2016-02-22 20:50:45 UTC 
nodejs-0.10.42-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2016-02-27 01:59:57 UTC 
nodejs-0.10.42-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-02-27 02:07:08 UTC 
nodejs-0.10.42-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Jason Shepherd 2018-04-03 04:53:17 UTC 
Openshift uses latest RHSCL nodejs-4-rhel7 image which include NodeJS 4.6.2. Marking Openshift Enterprise as not affected.

https://github.com/openshift/library/blob/master/official/nodejs/imagestreams/nodejs-rhel7.json#L64
Comment 16 Product Security DevOps Team 2020-05-20 21:15:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-2086