bl before versions 0.9.5 and 1.0.1 are vulnerable to memory exposure. bl.append(number) in the affected bl versions passes a number to Buffer constructor, appending a chunk of uninitialized memory. Upstream issue: https://github.com/rvagg/bl/pull/22 Upstream patch: https://github.com/rvagg/bl/pull/22/commits/8e1ddb38145ac4556af67d5e18534e8f4bccbf98 External Reference: https://nodesecurity.io/advisories/596
Created nodejs-bl tracking bugs for this issue: Affects: epel-7 [bug 1576655]