Re: [nodejs] Node v0.10.21 (Stable)

2013-10-19 Thread jed
Thanks for the explanation Isaac, for what it's worth I'm glad to have the fix as early as possible, and agree with Jan that your strategy of releasing the fix asap and delaying the explanation is a good one. IMO critical security issues can hurt confidence in a platform, but behaviour like

[nodejs] Node v0.10.21 (Stable)

2013-10-18 Thread Timothy J Fontaine
This release contains a security fix for the http server implementation, please upgrade as soon as possible. Details will be released soon. 2013.10.18, Version 0.10.21 (Stable) * uv: Upgrade to v0.10.18 * crypto: clear errors from verify failure (Timothy J Fontaine) * dtrace: interpret two

Re: [nodejs] Node v0.10.21 (Stable)

2013-10-18 Thread Isaac Schlueter
I understand that it's frustrating to be told that there's a security vulnerability but not be given details, especially on a Friday afternoon. Please try to understand that we would not be so cagey about the particulars if it was not a serious issue. This is a DoS vulnerability affecting anyone

Re: [nodejs] Node v0.10.21 (Stable)

2013-10-18 Thread Jan Buschtöns
Heroku just send out a notice to all Node.js devs they know. Super nice. :) I think releasing a security fix ASAP and disclosing the details later on is a good tactic. Thanks everyone who worked on this! :) On Saturday, October 19, 2013 2:01:31 AM UTC+2, Isaac Schlueter wrote: I understand