Heroku just send out a notice to all Node.js devs they know. Super nice. :)
I think releasing a security fix ASAP and disclosing the details later on is a good tactic. Thanks everyone who worked on this! :) On Saturday, October 19, 2013 2:01:31 AM UTC+2, Isaac Schlueter wrote: > > I understand that it's frustrating to be told that there's a security > vulnerability but not be given details, especially on a Friday > afternoon. Please try to understand that we would not be so cagey > about the particulars if it was not a serious issue. > > This is a DoS vulnerability affecting anyone serving HTTP with Node. > If you are using Node serving HTTP, you are almost certainly > vulnerable. > > The issue is difficult to stumble upon accidentally, but trivial to > exploit once known. We will be disclosing details once a reasonable > amount of time has passed to give users a chance to update. (My > expectation is that this will be a few weeks, but we'll gauge that > based on feedback we receive about any problems people have > upgrading.) > > And the timing sucks. Again, we opted to release the fix as soon as > it was available, rather than wait. Perhaps waiting until Monday > would've been better, I'm not sure. You can't win with things like > this. > > If anyone is in charge of a large production Node.js deployment, and > has any questions or complaints, feel free to email me directly > (off-list) at [email protected] <javascript:>, and I'll do my best to let you > know what's > going on. > > > On Fri, Oct 18, 2013 at 3:58 PM, Timothy J Fontaine > <[email protected] <javascript:>> wrote: > > This release contains a security fix for the http server implementation, > > please > > upgrade as soon as possible. Details will be released soon. > > > > 2013.10.18, Version 0.10.21 (Stable) > > > > * uv: Upgrade to v0.10.18 > > > > * crypto: clear errors from verify failure (Timothy J Fontaine) > > > > * dtrace: interpret two byte strings (Dave Pacheco) > > > > * fs: fix fs.truncate() file content zeroing bug (Ben Noordhuis) > > > > * http: provide backpressure for pipeline flood (isaacs) > > > > * tls: fix premature connection termination (Ben Noordhuis) > > > > > > Source Code: http://nodejs.org/dist/v0.10.21/node-v0.10.21.tar.gz > > > > Macintosh Installer (Universal): > > http://nodejs.org/dist/v0.10.21/node-v0.10.21.pkg > > > > Windows Installer: http://nodejs.org/dist/v0.10.21/node-v0.10.21-x86.msi > > > > Windows x64 Installer: > > http://nodejs.org/dist/v0.10.21/x64/node-v0.10.21-x64.msi > > > > Windows x64 Files: http://nodejs.org/dist/v0.10.21/x64/ > > > > Linux 32-bit Binary: > > http://nodejs.org/dist/v0.10.21/node-v0.10.21-linux-x86.tar.gz > > > > Linux 64-bit Binary: > > http://nodejs.org/dist/v0.10.21/node-v0.10.21-linux-x64.tar.gz > > > > Solaris 32-bit Binary: > > http://nodejs.org/dist/v0.10.21/node-v0.10.21-sunos-x86.tar.gz > > > > Solaris 64-bit Binary: > > http://nodejs.org/dist/v0.10.21/node-v0.10.21-sunos-x64.tar.gz > > > > Other release files: http://nodejs.org/dist/v0.10.21/ > > > > Website: http://nodejs.org/docs/v0.10.21/ > > > > Documentation: http://nodejs.org/docs/v0.10.21/api/ > > > > Shasums: > > ``` > > fb1318fb7721aa292310599e7c6696edebcfd70d > node-v0.10.21-darwin-x64.tar.gz > > 486235cc54d269d1961dfb150b1479ec14e83541 > node-v0.10.21-darwin-x86.tar.gz > > 7528d2fa240a5dd88d37e4847cebec50ef40c8eb node-v0.10.21-linux-x64.tar.gz > > b372abf9d9c53bfe675e2c3f71dcfdece44edddd node-v0.10.21-linux-x86.tar.gz > > cb873cdff3f30aa198b52c8be3588745d2ee3933 node-v0.10.21-sunos-x64.tar.gz > > 020d202d7066b68f160d0ceebe8cc8306de25956 node-v0.10.21-sunos-x86.tar.gz > > 037ea0e3be3512da2bc94aa765fa89d61da3e275 node-v0.10.21-x86.msi > > de2bd0e858f99098ef24f99f972b8088c1f0405c node-v0.10.21.pkg > > b7fd2a3660635af40e3719ca0db49280d10359b2 node-v0.10.21.tar.gz > > a0e3988170beee1273a2fb6d650bf17db8495c67 node.exe > > 99332a03aeba8a22254d671665b9b2161a64bd84 node.exp > > 263dafeec907bd1f28ceb8272b9caaadceacb4d6 node.lib > > 76d578bf352772dc4db9ebb95fb61cf18e34c80d node.pdb > > b6d11b67ce7aaff5c7a456a4c85c80849a3d576e pkgsrc/nodejs-ia32-0.10.21.tgz > > b116825d1d2cbcfd567f730b1c2452424508b062 pkgsrc/nodejs-x64-0.10.21.tgz > > 29632c5a21a4ebf89703e417852306a676f6ede8 x64/node-v0.10.21-x64.msi > > 033b0a2b57e031a9e47f0b28eb4dc50a5389b592 x64/node.exe > > f62b53229d77eaddf1f3a7909ef6533eea0e2295 x64/node.exp > > 8d5cfe83c3bc78ddcf79de9d065d1b4f2af9347e x64/node.lib > > 6844e78e9ba80bfa48f6c150544e3e73d83dd316 x64/node.pdb > > ``` > > > > -- > > -- > > Job Board: http://jobs.nodejs.org/ > > Posting guidelines: > > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > > You received this message because you are subscribed to the Google > > Groups "nodejs" group. > > To post to this group, send email to [email protected]<javascript:> > > To unsubscribe from this group, send email to > > [email protected] <javascript:> > > For more options, visit this group at > > http://groups.google.com/group/nodejs?hl=en?hl=en > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "nodejs" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
