1 files changed, 77 insertions, 0 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 1b323dc5bfb1..f10a4e1f93b1 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -58,6 +58,83 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="0904e81f-a89d-11e8-afbb-bc5ff4f77b71">
+    <topic>node.js -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>node</name>
+	<range><lt>10.9.0</lt></range>
+      </package>
+      <package>
+	<name>node8</name>
+	<range><lt>8.11.4</lt></range>
+      </package>
+      <package>
+	<name>node6</name>
+	<range><lt>6.14.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Node.js reports:</p>
+	<blockquote cite="https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/">
+	  <h1>OpenSSL: Client DoS due to large DH parameter</h1>
+	  <p>This fixes a potential denial of service (DoS) attack
+	  against client connections by a malicious server. During a TLS
+	  communication handshake, where both client and server agree to
+	  use a cipher-suite using DH or DHE (Diffie-Hellman, in both
+	  ephemeral and non-ephemeral modes), a malicious server can
+	  send a very large prime value to the client. Because this has
+	  been unbounded in OpenSSL, the client can be forced to spend
+	  an unreasonably long period of time to generate a key,
+	  potentially causing a denial of service.</p>
+	  <h1>OpenSSL: ECDSA key extraction via local side-channel</h1>
+	  <p>Attackers with access to observe cache-timing may be able
+	  to extract DSA or ECDSA private keys by causing the victim to
+	  create several signatures and watching responses. This flaw
+	  does not have a CVE due to OpenSSL policy to not assign itself
+	  CVEs for local-only vulnerabilities that are more academic
+	  than practical. This vulnerability was discovered by Keegan
+	  Ryan at NCC Group and impacts many cryptographic libraries
+	  including OpenSSL.</p>
+	  <h1>Unintentional exposure of uninitialized memory</h1>
+	  <p>Only Node.js 10 is impacted by this flaw.</p>
+	  <p>Node.js TSC member Nikita Skovoroda discovered an argument
+	  processing flaw that causes Buffer.alloc() to return
+	  uninitialized memory. This method is intended to be safe and
+	  only return initialized, or cleared, memory. The third
+	  argument specifying encoding can be passed as a number, this
+	  is misinterpreted by Buffer's internal "fill" method as the
+	  start to a fill operation. This flaw may be abused where
+	  Buffer.alloc() arguments are derived from user input to return
+	  uncleared memory blocks that may contain sensitive
+	  information.</p>
+	  <h1>Out of bounds (OOB) write</h1>
+	  <p>Node.js TSC member Nikita Skovoroda discovered an OOB write
+	  in Buffer that can be used to write to memory outside of a
+	  Buffer's memory space. This can corrupt unrelated Buffer
+	  objects or cause the Node.js process to crash.</p>
+	  <p>When used with UCS-2 encoding (recognized by Node.js under
+	  the names 'ucs2', 'ucs-2', 'utf16le' and 'utf-16le'),
+	  Buffer#write() can be abused to write outside of the bounds of
+	  a single Buffer. Writes that start from the second-to-last
+	  position of a buffer cause a miscalculation of the maximum
+	  length of the input bytes to be written.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/</url>
+      <cvename>CVE-2018-0732</cvename>
+      <cvename>CVE-2018-7166</cvename>
+      <cvename>CVE-2018-12115</cvename>
+    </references>
+    <dates>
+      <discovery>2018-08-16</discovery>
+      <entry>2018-08-25</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="45671c0e-a652-11e8-805b-a4badb2f4699">
     <topic>FreeBSD -- Unauthenticated EAPOL-Key Decryption Vulnerability</topic>
     <affects>