Bugzilla – Bug 797599
VUL-0: v8: various security issues
Last modified: 2013-02-05 11:04:26 UTC
we did not update v8 in openSUSE for quite some time, however it has collected quite some issues. Name: CVE-2012-5128 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5128 Phase: Assigned (20120924) Category: Reference: CONFIRM:http://googlechromereleases.blogspot.com/2012/11/stable-channel-release-and-beta-channel.html Reference: CONFIRM:https://code.google.com/p/chromium/issues/detail?id=157124 Google V8 before 3.13.7.5, as used in Google Chrome before 23.0.1271.64, does not properly perform write operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. ====================================================== Name: CVE-2012-5120 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5120 Phase: Assigned (20120924) Category: Reference: CONFIRM:http://googlechromereleases.blogspot.com/2012/11/stable-channel-release-and-beta-channel.html Reference: CONFIRM:https://code.google.com/p/chromium/issues/detail?id=150729 Google V8 before 3.13.7.5, as used in Google Chrome before 23.0.1271.64, on 64-bit Linux platforms allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers an out-of-bounds access to an array. Name: CVE-2011-5037 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5037 Phase: Assigned (20111229) Category: Reference: BUGTRAQ:20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html Reference: MISC:http://www.nruns.com/_downloads/advisory28122011.pdf Reference: MISC:http://www.ocert.org/advisories/ocert-2011-003.html Reference: CERT-VN:VU#903934 Reference: URL:http://www.kb.cert.org/vuls/id/903934 Google V8 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, as demonstrated by attacks against Node.js.
bugbot adjusting priority
maybe handled with bnc#798326 ?
I have just submitted an update for v8 to a newer version. However the v8 package itself is no longer required by Chromium, as that it utilizes the in-source v8 package. So security issues in v8 related to Chromium are handled within the chromium sources. The v8 package itself can be used for a webserver (node.js), but this one is hardly used.
This is an autogenerated message for OBS integration: This bug (797599) was mentioned in https://build.opensuse.org/request/show/149794 Maintenance /
people just might use it for node.js :/ thanks for the submission! however can you mention this bnc# number in the last version upgrade notice in the v8.changes files please?
Resubmitted with the bnc# number in the version upgrade notice for the changelog file
This is an autogenerated message for OBS integration: This bug (797599) was mentioned in https://build.opensuse.org/request/show/150024 Maintenance /
looks good, thanks!
released
openSUSE-SU-2013:0241-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 797599 CVE References: Sources used: openSUSE 12.2 (src): v8-3.16.4.0-1.12.1 openSUSE 12.1 (src): v8-3.16.4.0-1.36.1