---
- branch: MAIN
  date: Wed Sep 28 11:09:47 UTC 2016
  files:
  - new: '1.20'
    old: '1.19'
    path: pkgsrc/lang/nodejs4/Makefile
    pathrev: pkgsrc/lang/nodejs4/Makefile@1.20
    type: modified
  - new: '1.18'
    old: '1.17'
    path: pkgsrc/lang/nodejs4/distinfo
    pathrev: pkgsrc/lang/nodejs4/distinfo@1.18
    type: modified
  id: 20160928T110947Z.8f992cc987cca1c03aebef6651b1b440fb0dbc10
  log: |
    Update lang/nodejs4 to 4.6.0.

    - openssl: Remove support for loading dynamic third-party engine
      modules. An attacker may be able to hide malicious code to be
      inserted into Node.js at runtime by masquerading as one of the
      dynamic engine modules.
    - http: CVE-2016-5325 - Properly validate for allowable characters
      in the reason argument in ServerResponse#writeHead().
    - buffer: Zero-fill excess bytes in new Buffer objects created
      with Buffer.concat() while providing a totalLength parameter
      that exceeds the total length of the original Buffer objects
      being concatenated.
    - tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
      check whereby a TLS server may be able to serve an invalid
      wildcard certificate for its hostname due to improper validation
      of *. in the wildcard string.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/lang/nodejs4'
  unixtime: '1475060987'
  user: fhajny