Description
Node.js has a defect that that may make HTTP response splitting possible
under certain circumstances. If user-input is passed to the reason
argument to writeHead() on an HTTP response, a new-line character may be
used to inject additional responses (CVE-2016-5325).
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47 does
not properly handle wildcards in name fields of X.509 certificates, which
allows man-in-the-middle attackers to spoof servers via a crafted
certificate (CVE-2016-7099).