On Sat, Oct 19, 2013 at 5:36 PM, Stephen Gallagher <[email protected]> wrote: > Has there been a CVE issued (or requested) by upstream?
There's a request: http://www.openwall.com/lists/oss-security/2013/10/19/4 > I looked at the original announcement link, but they seem not to be > describing the issue. This is problematic. All I know is what the community has figured out thus far. ;-) This provides a decent technical overview of the issue: https://news.ycombinator.com/item?id=6575080 It's also been reported that reverse-proxying (with nginx, haproxy, etc.) may mitigate the issue since node isn't directly facing the Internet as a HTTP server. (This is very common in production deployments, as you can imagine.) If you need further information from a canonical source, please contact Isaac Schuleter (the lead developer at Joyent) at <[email protected]>. > I'm CCing Vincent Danen of Red Hat's security response team and also the > people responsible for Node.js in the Developer Toolset (which carries > Node.js now) in case they aren't on the Fedora Node.js list. If you need to backport, this is the patch for 0.10.x: https://github.com/joyent/node/commit/b97c28f59ee898a81f0df988c249359c9b42701d.patch And for 0.8.x: https://github.com/joyent/node/commit/653d4db71f569ddc87a0bc21f5ecc5ceaf37f932.patch 0.6.x may also be affected, but upstream ended support for that branch in late 2012. -T.C. _______________________________________________ nodejs mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/nodejs
