Path Validation Vunerability
794 views
Skip to first unread message
Michael Dawson
Sep 27, 2017, 10:14:32 AM9/27/17
to nodejs-sec
Summary
The Node.js project released a new versions of 8.x this week which incorporates a security fix.
Impact
Version 8.5.0 of Node.js is vulnerable.
4.x and 6.x versions are NOT vulnerable.
Downloads
Node.js-specific security flaws
Node.js version 8.5.0 included a change which caused a security vulnerability in the checks on paths made by some community modules. As a result, an attacker may be able to access file system paths other than those intended.
This problem was resolved within Node.js by partially reverting https://github.com/nodejs/node/commit/b98e8d995efb426bbdee56ce503017bdcbbc6332.
A CVE will be requested and the number will be posted once available.
Contact and future updates
The current Node.js security policy can be found at https://nodejs.org/en/security/.
Please contact secu...@nodejs.org if you wish to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organisation.
Michael Dawson
Sep 27, 2017, 4:38:58 PM9/27/17
to Stephen Gallagher, nodejs-sec
Yes the download link in the post points
to version 8.6.0
From: Stephen Gallagher <ste...@gallagherhome.com>
To: Michael Dawson <michael...@ca.ibm.com>, nodejs-sec <nodej...@googlegroups.com>
Date: 09/27/2017 12:41 PM
Subject: Re: Path Validation Vunerability
It was unclear from this email; is this fix included in the recent Node.js 8.6.0 release?
On Wed, Sep 27, 2017 at 10:14 AM Michael Dawson <michael...@ca.ibm.com> wrote:
Summary
The Node.js project released a new versions of 8.x this week which incorporates a security fix.
Impact
Version 8.5.0 of Node.js is vulnerable.
4.x and 6.x versions are NOT vulnerable.
Downloads
Node.js 8 (Current)
Node.js-specific security flaws
Node.js version 8.5.0 included a change which caused a security vulnerability in the checks on paths made by some community modules. As a result, an attacker may be able to access file system paths other than those intended.
This problem was resolved within Node.js by partially reverting https://github.com/nodejs/node/commit/b98e8d995efb426bbdee56ce503017bdcbbc6332.
A CVE will be requested and the number will be posted once available.
Contact and future updates
The current Node.js security policy can be found at https://nodejs.org/en/security/.
Please contact secu...@nodejs.orgif you wish to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-secto stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organisation.
--
You received this message because you are subscribed to the Google Groups "nodejs-sec" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs-sec+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
| Regards, Michael (M.H.) Dawson Runtime Technologies Node.js Technical Lead Software Developer and Master Inventor |
| Phone:1-613-356-5484 | Phone:1-343-882-2473 E-mail: Michael...@ca.ibm.com Find me on: | 3755 Riverside Drive Ottawa, ON K1V 1B8 Canada |
From: Stephen Gallagher <ste...@gallagherhome.com>
To: Michael Dawson <michael...@ca.ibm.com>, nodejs-sec <nodej...@googlegroups.com>
Date: 09/27/2017 12:41 PM
Subject: Re: Path Validation Vunerability
It was unclear from this email; is this fix included in the recent Node.js 8.6.0 release?
On Wed, Sep 27, 2017 at 10:14 AM Michael Dawson <michael...@ca.ibm.com> wrote:
Summary
The Node.js project released a new versions of 8.x this week which incorporates a security fix.
Impact
Version 8.5.0 of Node.js is vulnerable.
4.x and 6.x versions are NOT vulnerable.
Downloads
Node.js 8 (Current)
Node.js-specific security flaws
Node.js version 8.5.0 included a change which caused a security vulnerability in the checks on paths made by some community modules. As a result, an attacker may be able to access file system paths other than those intended.
This problem was resolved within Node.js by partially reverting https://github.com/nodejs/node/commit/b98e8d995efb426bbdee56ce503017bdcbbc6332.
A CVE will be requested and the number will be posted once available.
Contact and future updates
The current Node.js security policy can be found at https://nodejs.org/en/security/.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-secto stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organisation.
--
You received this message because you are subscribed to the Google Groups "nodejs-sec" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs-sec+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Dawson
Sep 29, 2017, 4:22:30 PM9/29/17
to nodejs-sec
The CVE has been assigned as CVE-2017-14849.
Reply all
Reply to author
Forward
0 new messages