Node.js Package Manager Vulnerability

A major vulnerability has been discovered in Node.js package manager (npm).

The attack is pretty simple and is detailed in the SOFTPEDIA article. The npm system leaves authors logged in by default and requires you to log out. If someone writes a malicious module and uploads it to NPM, when another user downloads it and is also an author, the malicious package can now upload itself to all the authors module, causing it to spread.

Hopefully the team over at Node.js / npm is working on fix. The easiest solution would be to remove the always logged in feature and re-require authentication when uploading modules to the npm registry.

Oracle Releases 248 CVEs

Oracle has released 248 CVEs as part of their Q1 Critical Patch Update. This is most CVEs they have ever released at once.

List of affected software.

  • Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2
  • Oracle GoldenGate, version(s) 11.2, 12.1.2
  • Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
  • Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0
  • Oracle Endeca Server, version(s) 7.3.0.0, 7.4.0.0, 7.5.0.0, 7.6.0.0
  • Oracle Fusion Middleware, version(s) 10.1.3.5, 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.2.0, 12.1.3.0, 12.2.1
  • Oracle GlassFish Server, version(s) 3.1.2
  • Oracle Identity Federation, version(s) 11.1.1.7, 11.1.2.2
  • Oracle Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2
  • Oracle Tuxedo, version(s) 12.1.1.0
  • Oracle Web Cache, version(s) 11.1.1.7.0, 11.1.1.9.0
  • Oracle WebCenter Sites, version(s) 7.6.2, 11.1.1.8.0
  • Oracle WebLogic Portal, version(s) 10.3.6
  • Oracle WebLogic Server, version(s) 10.3.6, 12.1.2, 12.1.3, 12.2.1
  • Enterprise Manager Base Platform, version(s) 11.1.0.1, 11.2.0.4, 12.1.0.4, 12.1.0.5
  • Enterprise Manager Ops Center, version(s) prior to 12.1.4, 12.2.0, 12.2.1, 12.3.0
  • Oracle Application Testing Suite, version(s) 12.4.0.2, 12.5.0.2
  • Application Mgmt Pack for E-Business Suite, version(s) 12.1, 12.2
  • Oracle E-Business Suite, version(s) 11.5.10.2, 12.1, 12.1.1, 12.1.2, 12.1.3, 12.2, 12.2.3, 12.2.4, 12.2.5
  • Oracle Agile Engineering Data Management, version(s) 6.1.2.2, 6.1.3.0, 6.2.0.0
  • Oracle Agile PLM, version(s) 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3
  • Oracle Configurator, version(s) 11.5.10.2, 12.1, 12.2
  • PeopleSoft Enterprise HCM Global Payroll Switzerland, version(s) 9.1, 9.2
  • PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54, 8.55
  • PeopleSoft Enterprise SCM eProcurement, version(s) 9.1, 9.2
  • PeopleSoft Enterprise SCM Order Management, version(s) 9.1, 9.2
  • PeopleSoft Enterprise SCM Purchasing, version(s) 9.1, 9.2
  • JD Edwards EnterpriseOne Tools, version(s) 9.1, 9.2
  • Oracle iLearning, version(s) 6.0, 6.1
  • Oracle Fusion Applications, version(s) 11.1.2 through 11.1.10
  • Oracle Communications Converged Application Server - Service Controller, version(s) 6.1
  • Oracle Communications EAGLE LNP Application Processor, version(s) 10.0
  • Oracle Communications Online Mediation Controller, version(s) 6.1
  • Oracle Communications Service Broker, version(s) 6.0, 6.1
  • Oracle Communications Service Broker Engineered System Edition, version(s) 6.0
  • MICROS CWDirect, version(s) 12.5, 13.0, 14.0, 15.0, 16.0, 17.0 18.0
  • Oracle Retail Open Commerce Platform Cloud Service, version(s) 3.5, 4.5, 4.7, 5.0
  • Oracle Retail Order Broker Cloud Service, version(s) 4.0, 4.1.
  • Oracle Retail Order Management System Cloud Service, version(s) 3.5, 4.5, 4.7, 5.0, 15.0
  • Oracle Retail Point-of-Service, version(s) 13.4, 14.0, 14.1
  • Oracle Java SE, version(s) 6u105, 7u91, 8u66
  • Oracle Java SE Embedded, version(s) 8u65
  • Oracle JRockit, version(s) R28.3.8
  • Oracle Switch ES1-24, version(s) prior to 1.3.1.13
  • Solaris, version(s) 10, 11
  • Solaris Cluster, version(s) 3.3, 4, 4.2
  • Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) prior to 1.2.2.13
  • Sun Network 10GE Switch 72p, version(s) prior to 1.2.2.15
  • Oracle Secure Global Desktop, version(s) 4.63, 4.71, 5.2
  • Oracle VM VirtualBox, version(s) prior to 4.0.36, prior to 4.1.44, prior to 4.2.36, prior to 4.3.36, prior to 5.0.14
  • MySQL Server, version(s) 5.5.46 and prior, 5.6.27 and prior, 5.7.9
OpenSSH CVE-2016-0777

A new OpenSSH security vulnerability has been found and reported as CVE-2016-0777. A feature called "Roaming" was added to the client software of OpenSSH (with no documentation), but has never been implemented on the server side. Because of this, someone could create a SSH server that can get access to client side memory and possibly dump your private keys.

It appears that the major Linux distributions have already released patches or are in the process of doing so.

It is suggested by David Busby over on Percona's website to do take the following steps to remove the risk.

In ~/.ssh/config and /etc/ssh/ssh_config

Host * UseRoaming no
Perl 6 Released

As expected, Perl 6 was released for Christmas! While a lot of development is needed to improve support and speed for Perl 6, the language specification was closed on December 25, 2015.

PHP 7.0 Nearing Release

PHP 7.0.0 RC2 was released on Friday. This version of PHP comess with a new version of the Zend Engine (Zend Engine III).

  • Improved performance: PHP 7 is up to twice as fast as PHP 5.6
  • Consistent 64-bit support
  • Many fatal errors are now Exceptions
  • Removal of old and unsupported SAPIs and extensions
  • The null coalescing operator (??)
  • Combined comparison Operator (<=>)
  • Return Type Declarations
  • Scalar Type Declarations
  • Anonymous Classes

PHP 7.0.0 is scheduled to be released on November 12th 2015.

LibreSSL 2.2.2 Released

A new version of LibreSSL has been released. More and more attention has been provided to OpenSSL since Heartbleed, which is a good thing! While this isn't quite where we need it, we are getting closer to a better and more secure internet.

Accepting Users and Comments

I am pleased to announce that we are now accepting new users to CodeRiot! As a user, you can create your own blog or comment on other user's blog posts.

Sign Up - Create an account today!

We currently support simple markdown for blog posts and comments. You can link to any site, image on the web or include YouTube videos. If you have any problems, please send an email to webmaster@coderiot.com and I would be glad to assist you.

Welcome to CodeRiot!

Starting with the Blog

CodeRiot! is starting as a simple blog where I get to talk about all sorts of programming related material. It will grow into more, but everything has to start somewhere!

Welcome to CodeRiot!

Welcome to the very first article on CodeRiot! Over the coming weeks and months, this website will start hosting well moderated and interesting programming conversations. I look forward to finding and sharing current programming wisdom. Additionally, here at CodeRiot! we will create the best code and project management software available.

We are proud believer in Open Source software and always looking to give back to the Open Source communication. To show our dedication to this wonderful community all, products and tools will be available free of charge to anyone developing Open Source software.

Welcome to CodeRiot!