Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Nov 2014 20:02:40 +0000
From: Steve Kemp <>
Subject: CVE Request - dns-sync node module

  The dns-sync library for node.js allows resolving hostnames in
 a synchronous fashion

  All versions of dns-sync prior to the release 0.1.1 were
 vulnerable to arbitrary command execution via maliciously
 formed hostnames.  For example:

    var dnsSync = require('dns-sync');
    console.log(dnsSync.resolve('$(id > /tmp/foo)'));

  This is caused by the hostname being passed through a shell
 as part of a command execution.

  I disclosed/reported this here:

  The following commit resolves the bug:


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ