---
- branch: MAIN
  date: Tue Jul 11 19:00:57 UTC 2017
  files:
  - new: '1.103'
    old: '1.102'
    path: pkgsrc/lang/nodejs/Makefile
    pathrev: pkgsrc/lang/nodejs/Makefile@1.103
    type: modified
  - new: '1.100'
    old: '1.99'
    path: pkgsrc/lang/nodejs/distinfo
    pathrev: pkgsrc/lang/nodejs/distinfo@1.100
    type: modified
  id: 20170711T190057Z.767f41b7dc18afdd61fecfdfb391e34e5c0293cf
  log: |
    Update lang/nodejs to 8.1.4.

    - Disable V8 snapshots - The hashseed embedded in the snapshot is
      currently the same for all runs of the binary. This opens node up to
      collision attacks which could result in a Denial of Service. We have
      temporarily disabled snapshots until a more robust solution is found
    - CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which
      is used for parsing NAPTR responses, could be triggered to read memory
      outside of the given input buffer if the passed in DNS response packet
      was crafted in a particular way. This patch checks that there is
      enough data for the required elements of an NAPTR record (2 int16, 3
      bytes for string lengths) before processing a record. (David Drysdale)
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/lang/nodejs'
  unixtime: '1499799657'
  user: fhajny