Node.js sysadmins, get ready to patch

DoS bug fix coming

Update: Patch delayed to include coming SSH fix Sysadmins: within around the next 24 to 48 hours, watch out for an upcoming update to node.js to cover off a couple of vulnerabilities.

The most serious, CVE-2015-8027, is a remotely-exploitable denial-of-service (DoS) bug that the node.js Foundation is keeping embargoed until the patch is issued.

The DoS bug affects all versions of v0.12.x through to v5.x, but not versions 0.10.x.

The second, CVE-2015-6764, is an out-of-bounds access vulnerability only affects v4.x and v5.x. An attacker can trigger an out-of-bounds access and/or denial-of-service “if user-supplied JavaScript can be executed by an application”, the advisory says.

The foundation reckon's the second bug is only of medium severity.

The fixes are scheduled 1 December USA time / 2 December UTC.

The node.js Foundation community manager Mikeal Rogers told Infoworld there are so far no exploits for the bugs in the wild. ®

Update: The node.js Foundation got in touch with The Register to advise that the patch has been delayed. This is because there's an upcoming OpenSSL fix due on 3 December that will be incorporated in the node.js update. More here. ®

Biting the hand that feeds IT © 1998–2019