MDVSA-2015:228: nodejs

Updated nodejs package fixes security vulnerability:

It was found that libuv does not call setgoups before calling
setuid/setgid. This may potentially allow an attacker to gain elevated
privileges (CVE-2015-0278).

The libuv library is bundled with nodejs, and a fixed version of
libuv is included with nodejs as of version 0.10.37. The nodejs
package has been updated to version 0.10.38 to fix this issue, as
well as several other bugs.

Leave a Reply