I understand that it's frustrating to be told that there's a security vulnerability but not be given details, especially on a Friday afternoon. Please try to understand that we would not be so cagey about the particulars if it was not a serious issue.
This is a DoS vulnerability affecting anyone serving HTTP with Node. If you are using Node serving HTTP, you are almost certainly vulnerable. The issue is difficult to stumble upon accidentally, but trivial to exploit once known. We will be disclosing details once a reasonable amount of time has passed to give users a chance to update. (My expectation is that this will be a few weeks, but we'll gauge that based on feedback we receive about any problems people have upgrading.) And the timing sucks. Again, we opted to release the fix as soon as it was available, rather than wait. Perhaps waiting until Monday would've been better, I'm not sure. You can't win with things like this. If anyone is in charge of a large production Node.js deployment, and has any questions or complaints, feel free to email me directly (off-list) at i...@izs.me, and I'll do my best to let you know what's going on. On Fri, Oct 18, 2013 at 3:58 PM, Timothy J Fontaine <tjfonta...@gmail.com> wrote: > This release contains a security fix for the http server implementation, > please > upgrade as soon as possible. Details will be released soon. > > 2013.10.18, Version 0.10.21 (Stable) > > * uv: Upgrade to v0.10.18 > > * crypto: clear errors from verify failure (Timothy J Fontaine) > > * dtrace: interpret two byte strings (Dave Pacheco) > > * fs: fix fs.truncate() file content zeroing bug (Ben Noordhuis) > > * http: provide backpressure for pipeline flood (isaacs) > > * tls: fix premature connection termination (Ben Noordhuis) > > > Source Code: http://nodejs.org/dist/v0.10.21/node-v0.10.21.tar.gz > > Macintosh Installer (Universal): > http://nodejs.org/dist/v0.10.21/node-v0.10.21.pkg > > Windows Installer: http://nodejs.org/dist/v0.10.21/node-v0.10.21-x86.msi > > Windows x64 Installer: > http://nodejs.org/dist/v0.10.21/x64/node-v0.10.21-x64.msi > > Windows x64 Files: http://nodejs.org/dist/v0.10.21/x64/ > > Linux 32-bit Binary: > http://nodejs.org/dist/v0.10.21/node-v0.10.21-linux-x86.tar.gz > > Linux 64-bit Binary: > http://nodejs.org/dist/v0.10.21/node-v0.10.21-linux-x64.tar.gz > > Solaris 32-bit Binary: > http://nodejs.org/dist/v0.10.21/node-v0.10.21-sunos-x86.tar.gz > > Solaris 64-bit Binary: > http://nodejs.org/dist/v0.10.21/node-v0.10.21-sunos-x64.tar.gz > > Other release files: http://nodejs.org/dist/v0.10.21/ > > Website: http://nodejs.org/docs/v0.10.21/ > > Documentation: http://nodejs.org/docs/v0.10.21/api/ > > Shasums: > ``` > fb1318fb7721aa292310599e7c6696edebcfd70d node-v0.10.21-darwin-x64.tar.gz > 486235cc54d269d1961dfb150b1479ec14e83541 node-v0.10.21-darwin-x86.tar.gz > 7528d2fa240a5dd88d37e4847cebec50ef40c8eb node-v0.10.21-linux-x64.tar.gz > b372abf9d9c53bfe675e2c3f71dcfdece44edddd node-v0.10.21-linux-x86.tar.gz > cb873cdff3f30aa198b52c8be3588745d2ee3933 node-v0.10.21-sunos-x64.tar.gz > 020d202d7066b68f160d0ceebe8cc8306de25956 node-v0.10.21-sunos-x86.tar.gz > 037ea0e3be3512da2bc94aa765fa89d61da3e275 node-v0.10.21-x86.msi > de2bd0e858f99098ef24f99f972b8088c1f0405c node-v0.10.21.pkg > b7fd2a3660635af40e3719ca0db49280d10359b2 node-v0.10.21.tar.gz > a0e3988170beee1273a2fb6d650bf17db8495c67 node.exe > 99332a03aeba8a22254d671665b9b2161a64bd84 node.exp > 263dafeec907bd1f28ceb8272b9caaadceacb4d6 node.lib > 76d578bf352772dc4db9ebb95fb61cf18e34c80d node.pdb > b6d11b67ce7aaff5c7a456a4c85c80849a3d576e pkgsrc/nodejs-ia32-0.10.21.tgz > b116825d1d2cbcfd567f730b1c2452424508b062 pkgsrc/nodejs-x64-0.10.21.tgz > 29632c5a21a4ebf89703e417852306a676f6ede8 x64/node-v0.10.21-x64.msi > 033b0a2b57e031a9e47f0b28eb4dc50a5389b592 x64/node.exe > f62b53229d77eaddf1f3a7909ef6533eea0e2295 x64/node.exp > 8d5cfe83c3bc78ddcf79de9d065d1b4f2af9347e x64/node.lib > 6844e78e9ba80bfa48f6c150544e3e73d83dd316 x64/node.pdb > ``` > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to nodejs@googlegroups.com > To unsubscribe from this group, send email to > nodejs+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to nodejs+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to nodejs@googlegroups.com To unsubscribe from this group, send email to nodejs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.