Bugzilla – Bug 1117625
VUL-1: CVE-2018-12120: nodejs4,nodejs6: Debugger port 5858 listens on any interface by default
Last modified: 2019-07-17 06:39:27 UTC
CVE-2018-12120 https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ port 5858 listens on any interface by default (CVE-2018-12120) Categorization: Unprotected Primary Channel (CWE-419) All versions of Node.js 6 are vulnerable and the severity is HIGH. When the debugger is enabled with node --debug or node debug, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as node --debug=localhost. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable. Reported and fixed by Ben Noordhuis. Impact: All versions of Node.js 6 (LTS "Boron") are vulnerable All versions of Node.js 8 (LTS "Carbon") are NOT vulnerable All versions of Node.js 10 (LTS "Dubnium") are NOT vulnerable All versions of Node.js 11 (Current) are NOT vulnerable
Removing nodejs8 from title as not affected.
This is an autogenerated message for OBS integration: This bug (1117625) was mentioned in https://build.opensuse.org/request/show/664387 Factory / nodejs6
Fixes submitted to all affected codestreams. Re-assigning back to security team.
SUSE-SU-2019:0117-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1113534,1113652,1117625,1117626,1117627,1117629,1117630 CVE References: CVE-2018-0734,CVE-2018-12116,CVE-2018-12120,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-5407 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs4-4.9.1-15.17.1 SUSE Enterprise Storage 4 (src): nodejs4-4.9.1-15.17.1
openSUSE-SU-2019:0088-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1113534,1113652,1117625,1117626,1117627,1117629,1117630 CVE References: CVE-2018-0734,CVE-2018-12116,CVE-2018-12120,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-5407 Sources used: openSUSE Leap 42.3 (src): nodejs4-4.9.1-20.1
SUSE-SU-2019:0395-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1113534,1113652,1117625,1117626,1117627,1117629,1117630 CVE References: CVE-2018-0734,CVE-2018-12116,CVE-2018-12120,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-5407 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): nodejs6-6.16.0-11.21.1 SUSE OpenStack Cloud 7 (src): nodejs6-6.16.0-11.21.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs6-6.16.0-11.21.1 SUSE Enterprise Storage 4 (src): nodejs6-6.16.0-11.21.1
openSUSE-SU-2019:0234-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1113534,1113652,1117625,1117626,1117627,1117629,1117630 CVE References: CVE-2018-0734,CVE-2018-12116,CVE-2018-12120,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-5407 Sources used: openSUSE Leap 42.3 (src): nodejs6-6.16.0-18.1
released