Thanks for the explanation Isaac, for what it's worth I'm glad to have the
fix as early as possible, and agree with Jan that your strategy of
releasing the fix asap and delaying the explanation is a good one.
IMO critical security issues can hurt confidence in a platform, but
behaviour like
This release contains a security fix for the http server implementation,
please
upgrade as soon as possible. Details will be released soon.
2013.10.18, Version 0.10.21 (Stable)
* uv: Upgrade to v0.10.18
* crypto: clear errors from verify failure (Timothy J Fontaine)
* dtrace: interpret two
I understand that it's frustrating to be told that there's a security
vulnerability but not be given details, especially on a Friday
afternoon. Please try to understand that we would not be so cagey
about the particulars if it was not a serious issue.
This is a DoS vulnerability affecting anyone
Heroku just send out a notice to all Node.js devs they know. Super nice. :)
I think releasing a security fix ASAP and disclosing the details later on
is a good tactic. Thanks everyone who worked on this! :)
On Saturday, October 19, 2013 2:01:31 AM UTC+2, Isaac Schlueter wrote:
I understand