[Buildroot] [PATCH] package/nodejs: security bump to version 12.14.0
Peter Korsgaard
peter at korsgaard.com
Mon Dec 23 22:33:55 UTC 2019
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security vulnerabilities (in npm):
> - CVE-2019-16775: Versions of the npm CLI prior to 6.13.3 are vulnerable to
> an Arbitrary File Write. It is possible for packages to create symlinks
> to files outside of thenode_modules folder through the bin field upon
> installation
> https://www.npmjs.com/advisories/1436
> - CVE-2019-16776: Versions of the npm CLI prior to 6.13.3 are vulnerable to
> an Arbitrary File Write. It fails to prevent access to folders outside of
> the intended node_modules folder through the bin field
> https://www.npmjs.com/advisories/1434
> - CVE-2019-16777: Versions of the npm CLI prior to 6.13.4 are vulnerable to
> an Arbitrary File Overwrite. It fails to prevent existing
> globally-installed binaries to be overwritten by other package
> installations
> https://www.npmjs.com/advisories/1437
> For further details, see the upstream announcements:
> https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
> https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2019.11.x, thanks.
For 2019.02.x I will instead bump the version to 8.17.0, which includes
the same fix.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list