Red Hat Bugzilla – Bug 1346910
CVE-2016-5325 nodejs: reason argument in ServerResponse#writeHead() not properly validated
Last modified: 2018-06-29 18:11:59 EDT
An unspecified low-severity Node.js HTTP processing vulnerability was found and will be fixed in latest update. Details are currently embargoed until new releases are available. https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/
Created nodejs tracking bugs for this issue: Affects: fedora-all [bug 1346913] Affects: epel-all [bug 1346914]
This issue is now public via September 2016 security releases: CVE-2016-5325: reason argument in ServerResponse#writeHead() not properly validated This is a low severity security defect that that may make HTTP response splitting possible under certain circumstances. If user-input is passed to the reason argument to writeHead() on an HTTP response, a new-line character may be used to inject additional responses. The fix for this defect introduces a new case where throw may occur when configuring HTTP responses. Users should already be adopting try/catch here. This was originally reported independently by Evan Lucas and Romain Gaucher. All versions of Node.js are affected. External References: https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
Upstream commit: 0.10.x https://github.com/nodejs/node/commit/3614a173d0a0827bb9f7a1aa65bf9ccc9c7d6784 4.x https://github.com/nodejs/node/commit/b5c57ff772aff6cdee79206a2d53da6c638cbd13
Additional details: CVE-2016-5325: reason argument in ServerResponse#writeHead() not properly validated This is a low severity security defect that that may make HTTP response splitting possible under certain circumstances. If user-input is passed to the reason argument to writeHead() on an HTTP response, a new-line character may be used to inject additional responses. The fix for this defect introduces a new case where throw may occur when configuring HTTP responses. Users should already be adopting try/catch here. This was originally reported independently by Evan Lucas and Romain Gaucher. All versions of Node.js are affected. https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.3 Red Hat OpenShift Enterprise 3.2 Red Hat OpenShift Enterprise 3.1 Via RHSA-2016:2101 https://access.redhat.com/errata/RHSA-2016:2101
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Via RHSA-2017:0002 https://rhn.redhat.com/errata/RHSA-2017-0002.html