Node v0.10.21 (Stable)

2,588 views
Skip to first unread message

Timothy J Fontaine

unread,
Oct 18, 2013, 6:58:01 PM10/18/13
to nod...@googlegroups.com
This release contains a security fix for the http server implementation, please
upgrade as soon as possible. Details will be released soon.

2013.10.18, Version 0.10.21 (Stable)

* uv: Upgrade to v0.10.18

* crypto: clear errors from verify failure (Timothy J Fontaine)

* dtrace: interpret two byte strings (Dave Pacheco)

* fs: fix fs.truncate() file content zeroing bug (Ben Noordhuis)

* http: provide backpressure for pipeline flood (isaacs)

* tls: fix premature connection termination (Ben Noordhuis)



Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.21/node-v0.10.21.pkg











Shasums:
```
fb1318fb7721aa292310599e7c6696edebcfd70d  node-v0.10.21-darwin-x64.tar.gz
486235cc54d269d1961dfb150b1479ec14e83541  node-v0.10.21-darwin-x86.tar.gz
7528d2fa240a5dd88d37e4847cebec50ef40c8eb  node-v0.10.21-linux-x64.tar.gz
b372abf9d9c53bfe675e2c3f71dcfdece44edddd  node-v0.10.21-linux-x86.tar.gz
cb873cdff3f30aa198b52c8be3588745d2ee3933  node-v0.10.21-sunos-x64.tar.gz
020d202d7066b68f160d0ceebe8cc8306de25956  node-v0.10.21-sunos-x86.tar.gz
037ea0e3be3512da2bc94aa765fa89d61da3e275  node-v0.10.21-x86.msi
de2bd0e858f99098ef24f99f972b8088c1f0405c  node-v0.10.21.pkg
b7fd2a3660635af40e3719ca0db49280d10359b2  node-v0.10.21.tar.gz
a0e3988170beee1273a2fb6d650bf17db8495c67  node.exe
99332a03aeba8a22254d671665b9b2161a64bd84  node.exp
263dafeec907bd1f28ceb8272b9caaadceacb4d6  node.lib
76d578bf352772dc4db9ebb95fb61cf18e34c80d  node.pdb
b6d11b67ce7aaff5c7a456a4c85c80849a3d576e  pkgsrc/nodejs-ia32-0.10.21.tgz
b116825d1d2cbcfd567f730b1c2452424508b062  pkgsrc/nodejs-x64-0.10.21.tgz
29632c5a21a4ebf89703e417852306a676f6ede8  x64/node-v0.10.21-x64.msi
033b0a2b57e031a9e47f0b28eb4dc50a5389b592  x64/node.exe
f62b53229d77eaddf1f3a7909ef6533eea0e2295  x64/node.exp
8d5cfe83c3bc78ddcf79de9d065d1b4f2af9347e  x64/node.lib
6844e78e9ba80bfa48f6c150544e3e73d83dd316  x64/node.pdb
```

Isaac Schlueter

unread,
Oct 18, 2013, 8:01:31 PM10/18/13
to nodejs
I understand that it's frustrating to be told that there's a security
vulnerability but not be given details, especially on a Friday
afternoon. Please try to understand that we would not be so cagey
about the particulars if it was not a serious issue.

This is a DoS vulnerability affecting anyone serving HTTP with Node.
If you are using Node serving HTTP, you are almost certainly
vulnerable.

The issue is difficult to stumble upon accidentally, but trivial to
exploit once known. We will be disclosing details once a reasonable
amount of time has passed to give users a chance to update. (My
expectation is that this will be a few weeks, but we'll gauge that
based on feedback we receive about any problems people have
upgrading.)

And the timing sucks. Again, we opted to release the fix as soon as
it was available, rather than wait. Perhaps waiting until Monday
would've been better, I'm not sure. You can't win with things like
this.

If anyone is in charge of a large production Node.js deployment, and
has any questions or complaints, feel free to email me directly
(off-list) at i...@izs.me, and I'll do my best to let you know what's
going on.
> --
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+un...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "nodejs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nodejs+un...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

Jan Buschtöns

unread,
Oct 19, 2013, 1:00:39 AM10/19/13
to nod...@googlegroups.com, i...@izs.me
Heroku just send out a notice to all Node.js devs they know. Super nice. :)

I think releasing a security fix ASAP and disclosing the details later on is a good tactic. Thanks everyone who worked on this! :)

j...@keystonejs.com

unread,
Oct 19, 2013, 1:48:10 AM10/19/13
to nod...@googlegroups.com, i...@izs.me
Thanks for the explanation Isaac, for what it's worth I'm glad to have the fix as early as possible, and agree with Jan that your strategy of releasing the fix asap and delaying the explanation is a good one.

IMO critical security issues can hurt confidence in a platform, but behaviour like this does the opposite. Good work, and thanks :)

Gabriel Falkenberg

unread,
Oct 19, 2013, 5:40:03 PM10/19/13
to nod...@googlegroups.com
Is this the end of the versioning scheme mentioned on https://github.com/joyent/node/wiki/FAQ that even versions are stable and odd versions are unstable?

Best regards,
Gabriel Falkenberg

Ben Noordhuis

unread,
Oct 19, 2013, 6:36:06 PM10/19/13
to nod...@googlegroups.com
On Sat, Oct 19, 2013 at 11:40 PM, Gabriel Falkenberg
<gabriel.f...@gmail.com> wrote:
> Is this the end of the versioning scheme mentioned on
> https://github.com/joyent/node/wiki/FAQ that even versions are stable and
> odd versions are unstable?

We use major.minor.patch version numbers. It's the minor number that
determines whether a release is stable. That means v0.10.x releases
are stable while v0.11.x releases are unstable (from an API/ABI
perspective.)

jona...@titanous.com

unread,
Oct 20, 2013, 4:11:05 PM10/20/13
to nod...@googlegroups.com
I went ahead and requested a CVE:

-------- Original Message --------
Subject: Re: CVE Request: Node.js HTTP Pipelining DoS
Date: Sat, 19 Oct 2013 22:25:52 -0600
From: Kurt Seifried <kseifried@redhat com>
Organization: Red Hat Inc.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/19/2013 09:43 AM, Jonathan Rudenberg wrote:
> Node.js is vulnerable to DoS when a client sends too many pipelined
> HTTP requests.
> Links:
>
>  This issue affects all versions of Node released before 0.10.21
> and 0.8.26.

So my first reply bounced off the list (hopefully this one does not).

Please use CVE-2013-4450 for this issue.

As for shipping a security update with "no details" in order to
protect people this doesn't work very well when you're open source and
leave the keyword in the source code where the fix is and add comments
that give all the details.

You might as well release details in the advisory so that the god guys
can quickly assess the issue and deal with it properly, rather then
pretending that the bad guys can't read the source code and figure out
how to exploit this. It took me literally all of five minutes to
download the current version, the previous version minus one, diff
them, and look for the keyword "piplined" (what can I say, I was
eating a sandwich and only had one hand free ;).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSY1tQAAoJEBYNRVNeJnmTenIP/R9TRmTAtPqqqLHLXZhoxuXb
ve/IhedBLzT23xbk9ovmrJIMqqjN6A0HcIDPB9MT21/hBT5yK5GDTK9HmbmxcZvJ
j9copc+BECvHrTC2sHUy19DUFGgp6RElrZpb1D6jM2K27siKKT78+mm6QwNlaT4z
sectg7rq1wH74p48Eni66xYq4QjIwMdmWBPb+jrbp2LhELmfGfRnu5zJQAGgxXg9
/SxPvmITsOKeifFUsfetGe0ob2Mj+uf+b1DeHNTGVRZZlIpWSFnZHUe5GosMAqIX
SdchV7KLK8WpP4dcbCuFhdmRy2pQtchUZ6Ijkm8jlG/8uJNc4JhMN0VhuTXUBZlk
dKqB1Bja6TGZJxGWubEhd7NufmOq6CU+Sbgjg7WMt+hkQwZR/EmTfSl95czR3MGh
b0ZEbByqTaxvM0jVUS154H+8rT3Qn7apWZrzxstMcIKEDMIyukQJr1cpIX5YFksJ
W+IEP00VqBBVF2wHyOMXZiRTPg/dAt8ont6JpMUhTFcRdFaxZhzcXd1XU/dohv4i
hL48GcC4AJh4inf0LTIK3g6Nb6aY6J2XYXigQ4ahUtl6KtZezK7yEhirBO36iQZ3
4qnfaniDfimPiIwPi8nDl3XyZpWlb4ae4Moc1358kH3zYsj5NIJYvTedQD/0IJ5x
DD+c3vJxCT0ejOtNQ/0P
=cVts
-----END PGP SIGNATURE-----

Arunoda Susiripala

unread,
Oct 21, 2013, 5:09:16 AM10/21/13
to nod...@googlegroups.com
You've a point. But If some really need to exploit this, you will do the attack anyhow.

But I hope this is to prevent specially script kiddies exploiting node using this issue. I think this is a good idea.


--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
 
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.



--
Arunoda Susiripala

Reply all
Reply to author
Forward
0 new messages