Node.js sysadmins, get ready to patch
DoS bug fix coming
Update: Patch delayed to include coming SSH fix Sysadmins: within around the next 24 to 48 hours, watch out for an upcoming update to node.js to cover off a couple of vulnerabilities.
The most serious, CVE-2015-8027, is a remotely-exploitable denial-of-service (DoS) bug that the node.js Foundation is keeping embargoed until the patch is issued.
The DoS bug affects all versions of v0.12.x through to v5.x, but not versions 0.10.x.
The foundation reckon's the second bug is only of medium severity.
The fixes are scheduled 1 December USA time / 2 December UTC.
The node.js Foundation community manager Mikeal Rogers told Infoworld there are so far no exploits for the bugs in the wild. ®
Update: The node.js Foundation got in touch with The Register to advise that the patch has been delayed. This is because there's an upcoming OpenSSL fix due on 3 December that will be incorporated in the node.js update. More here. ®