Bug 1328413 (CVE-2016-3956)
Summary: | CVE-2016-3956 npm: bearer token leak to non-registry hosts | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | jorton, mmaslano, tchollingsworth, thrcka, zsvetlik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | npm 3.8.3, npm 2.15.1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-04-27 09:33:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1328414, 1328415, 1328416 | ||
Bug Blocks: | 1328418 |
Description
Andrej Nemec
2016-04-19 10:51:14 UTC
Created npm tracking bugs for this issue: Affects: fedora-all [bug 1328414] Affects: epel-6 [bug 1328415] Affects: epel-7 [bug 1328416] Blog posts from npm and nodejs upstreams: http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/ Upstream commits: https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 (2.15.1) https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 (3.8.3) Upstream bug report: https://github.com/npm/npm/issues/8380 This is only relevant to use cases where npm is used with authentication - private repos or workstations form which developers publish new package versions. Common uses case when npm is used to install publicly available packages are not affected. This issue has a CVE now: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3956 |