Node.js announced a security release this weekend. According to upstream's official release announcment, this vulnerability does not, nor has it ever affected the 0.10.x series as shipped in all current releases of Fedora and EPEL.
There is no need to update your systems; they were never vulnerable.
Thanks, T.C.
---------- Forwarded message ---------- From: Rod Vagg rvagg@nodesource.com Date: Fri, Jul 3, 2015 at 8:47 PM Subject: NODE.JS SECURITY: Node.js v0.12.6 and io.js v2.3.3 To: security@nodejs.org Bcc: tchollingsworth@gmail.com
The Node.js Foundation TSC sincerely apologizes for the rushed handling of this security fix. Evening in the USA on the weekend of the 4th of July is not ideal and we would have preferred make a more measured response to this incident.
We made the call to push forward because details about the bug and potential exploit has inadvertently made its way to a public forum. We decided that we would rather provide companies and users the tools to protect themselves and mitigate DoS attacks if they become a reality.
If you are using Node.js v0.12 or any version if io.js please upgrade. Node.js v0.10 is not affected.
* Node.js v0.12.6 is available at http://nodejs.org/dist/latest/ * io.js v2.3.3 is available at https://iojs.org/dist/latest/ * io.js v1.8.3 is available at https://iojs.org/dist/v1.8.3/ for any users still on v1.8.
The quick summary of the bug: Kris Reeves and Trevor Norris pinpointed a bug in V8 in the way it decodes UTF strings. This impacts Node at `Buffer` to UTF8 `String` conversions and can cause a process to crash. The security concern comes from the fact that a lot of data from outside of an application is delivered to Node via this mechanism which means that users can potentially deliver specially crafted input data that can cause an application to crash when it goes through this path. We know that most networking and filesystem operations are impacted as would be many user-land uses of `Buffer` to UTF8 `String` conversion. We know that HTTP(S) header parsing is _not_ vulnerable because Node does not convert this data as UTF8. This is a small consolation because it restricts the way HTTP(S) can be exploited but there is more to HTTP(S) than header parsing obviously and we have confirmed that HTTP(S) is vulnerable via body parsing. We also have no information yet on how the various TLS terminators and forward-proxies in use may potentially mitigate against the form of data required for this exploit but it would be safe to assume that these are not a protective layer against a DoS attack.
An initial ETA provided was midday PDT on the 3rd, that was based on the information we had available. Unfortunately, the patch was not quite ready and there was an extended test and verification process for V8, io.js and Node.js during the day. The builds also take some time on top of that, hence the delay. Fedor Indutny created the fix, Ben Noordhuis, Trevor Norris, Julien Gilli, Michael Dawson and Jeremiah Senkpiel all worked very hard to make this land successfully.
If you have any further questions or concerns please contact us at security@nodejs.org or respond to this email.
- Node.js Foundation TSC
nodejs@lists.fedoraproject.org