Has there been a CVE issued (or requested) by upstream? I looked at the original announcement link, but they seem not to be describing the issue. This is problematic.
I'm CCing Vincent Danen of Red Hat's security response team and also the people responsible for Node.js in the Developer Toolset (which carries Node.js now) in case they aren't on the Fedora Node.js list. > On Oct 19, 2013, at 8:26 PM, "T.C. Hollingsworth" <[email protected]> > wrote: > > Hi, all! > > So, last night I pushed an update for an undisclosed security update > and promptly went to the bar afterward, and in the intervening time > the whole Internet has gone crazy! > > Now it's fairly widely reported that this is a pretty nasty DoS > vulnerability, so I'd appreciate some karma on the following updates > so we can get this pushed stable ASAP. They've all been pushed to > testing as of now. > > F20: https://admin.fedoraproject.org/updates/FEDORA-2013-19512/ > F19: https://admin.fedoraproject.org/updates/FEDORA-2013-19497/ > F18: https://admin.fedoraproject.org/updates/FEDORA-2013-19491/ > EL6: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11891/ > > Upstream has somewhat deservedly been put through the ringer for > handling this improperly, but in their defense the initial report was > just made publicly on github instead of by mail to [email protected] > so they were pretty much screwed from the get go. I did at least > receive a nice apology in my inbox today from one of the lead > developers for the lack of early notice to distributions. > > Thanks in advance! > -T.C. > _______________________________________________ > nodejs mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/nodejs _______________________________________________ nodejs mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/nodejs
