Matt, you are right. But I was unsure because of this sentence in the
advisory: "This issue affects all versions of Node released before 0.10.21
and 0.8.26."
To be sure, I made a test on Node 0.6 using Isaac's exploit code:
spawning children
master: {"rss":13549568,"heapTotal":5327424,"heapUsed":2850888}
master: {"rss":13565952,"heapTotal":5327424,"heapUsed":2857824}
master: {"rss":13574144,"heapTotal":5327424,"heapUsed":2864328}
master: {"rss":13578240,"heapTotal":5327424,"heapUsed":2868456}
master: {"rss":13578240,"heapTotal":5327424,"heapUsed":2870792}
master: {"rss":13586432,"heapTotal":5327424,"heapUsed":2875800}
master: {"rss":13586432,"heapTotal":5327424,"heapUsed":2878064}
master: {"rss":12357632,"heapTotal":4741696,"heapUsed":2401808}
master: {"rss":12365824,"heapTotal":4741696,"heapUsed":2419992}
master: {"rss":12369920,"heapTotal":4741696,"heapUsed":2438856}
Node 0.6 is safe.
On Saturday, October 19, 2013 9:13:37 PM UTC+2, Matt Sergeant wrote:
>
> And it also shouldn't be vulnerable to the bug, should it? I thought it
> was related to Streams2?
>
>
> On Sat, Oct 19, 2013 at 5:53 AM, Ben Noordhuis
> <[email protected]<javascript:>
> > wrote:
>
>> On Sat, Oct 19, 2013 at 11:26 AM, dvbportal <[email protected]<javascript:>>
>> wrote:
>> > Will there be a Node v0.6 maintenance release to fix the latest http
>> > vulnerability?
>>
>> Unlikely. v0.6 maintenance ended on December 31 2012.
>>
>> --
>> --
>> Job Board: http://jobs.nodejs.org/
>> Posting guidelines:
>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
>> You received this message because you are subscribed to the Google
>> Groups "nodejs" group.
>> To post to this group, send email to [email protected]<javascript:>
>> To unsubscribe from this group, send email to
>> [email protected] <javascript:>
>> For more options, visit this group at
>> http://groups.google.com/group/nodejs?hl=en?hl=en
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "nodejs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
