* [2013-10-19 18:54:57 -0700] T.C. Hollingsworth wrote:
On Sat, Oct 19, 2013 at 5:36 PM, Stephen Gallagher <[email protected]> wrote:
Has there been a CVE issued (or requested) by upstream?
There's a request:
http://www.openwall.com/lists/oss-security/2013/10/19/4
I looked at the original announcement link, but they seem not to be describing
the issue. This is problematic.
All I know is what the community has figured out thus far. ;-)
This provides a decent technical overview of the issue:
https://news.ycombinator.com/item?id=6575080
It's also been reported that reverse-proxying (with nginx, haproxy,
etc.) may mitigate the issue since node isn't directly facing the
Internet as a HTTP server. (This is very common in production
deployments, as you can imagine.)
If you need further information from a canonical source, please
contact Isaac Schuleter (the lead developer at Joyent) at <[email protected]>.
I'm CCing Vincent Danen of Red Hat's security response team and also the people
responsible for Node.js in the Developer Toolset (which carries Node.js now) in
case they aren't on the Fedora Node.js list.
If you need to backport, this is the patch for 0.10.x:
https://github.com/joyent/node/commit/b97c28f59ee898a81f0df988c249359c9b42701d.patch
And for 0.8.x:
https://github.com/joyent/node/commit/653d4db71f569ddc87a0bc21f5ecc5ceaf37f932.patch
0.6.x may also be affected, but upstream ended support for that branch
in late 2012.
Sorry, a little late to reply to this.
This was assigned CVE-2013-4450 and we have a bug here:
https://bugzilla.redhat.com/show_bug.cgi?id=1021170
Thanks for the links to the backported patches; I've noted those in our
bug.
--
Vincent Danen / Red Hat Security Response Team
_______________________________________________
nodejs mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/nodejs
