|Node v0.10.21 (Stable)||Timothy J Fontaine||10/18/13 3:58 PM|
This release contains a security fix for the http server implementation, please
upgrade as soon as possible. Details will be released soon.
2013.10.18, Version 0.10.21 (Stable)
* uv: Upgrade to v0.10.18
* crypto: clear errors from verify failure (Timothy J Fontaine)
* dtrace: interpret two byte strings (Dave Pacheco)
* fs: fix fs.truncate() file content zeroing bug (Ben Noordhuis)
* http: provide backpressure for pipeline flood (isaacs)
* tls: fix premature connection termination (Ben Noordhuis)
Source Code: http://nodejs.org/dist/v0.10.21/node-v0.10.21.tar.gz
Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.21/node-v0.10.21.pkg
Windows Installer: http://nodejs.org/dist/v0.10.21/node-v0.10.21-x86.msi
Windows x64 Installer: http://nodejs.org/dist/v0.10.21/x64/node-v0.10.21-x64.msi
Windows x64 Files: http://nodejs.org/dist/v0.10.21/x64/
Linux 32-bit Binary: http://nodejs.org/dist/v0.10.21/node-v0.10.21-linux-x86.tar.gz
Linux 64-bit Binary: http://nodejs.org/dist/v0.10.21/node-v0.10.21-linux-x64.tar.gz
Solaris 32-bit Binary: http://nodejs.org/dist/v0.10.21/node-v0.10.21-sunos-x86.tar.gz
Solaris 64-bit Binary: http://nodejs.org/dist/v0.10.21/node-v0.10.21-sunos-x64.tar.gz
Other release files: http://nodejs.org/dist/v0.10.21/
|Re: [nodejs] Node v0.10.21 (Stable)||Isaac Schlueter||10/18/13 5:01 PM|
I understand that it's frustrating to be told that there's a security
vulnerability but not be given details, especially on a Friday
afternoon. Please try to understand that we would not be so cagey
about the particulars if it was not a serious issue.
This is a DoS vulnerability affecting anyone serving HTTP with Node.
If you are using Node serving HTTP, you are almost certainly
The issue is difficult to stumble upon accidentally, but trivial to
exploit once known. We will be disclosing details once a reasonable
amount of time has passed to give users a chance to update. (My
expectation is that this will be a few weeks, but we'll gauge that
based on feedback we receive about any problems people have
And the timing sucks. Again, we opted to release the fix as soon as
it was available, rather than wait. Perhaps waiting until Monday
would've been better, I'm not sure. You can't win with things like
If anyone is in charge of a large production Node.js deployment, and
has any questions or complaints, feel free to email me directly
(off-list) at i...@izs.me, and I'll do my best to let you know what's
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> For more options, visit this group at
> You received this message because you are subscribed to the Google Groups
> "nodejs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nodejs+un...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
|Re: [nodejs] Node v0.10.21 (Stable)||Jan Buschtöns||10/18/13 10:00 PM|
Heroku just send out a notice to all Node.js devs they know. Super nice. :)
I think releasing a security fix ASAP and disclosing the details later on is a good tactic. Thanks everyone who worked on this! :)
|Re: [nodejs] Node v0.10.21 (Stable)||j...@keystonejs.com||10/18/13 10:48 PM|
Thanks for the explanation Isaac, for what it's worth I'm glad to have the fix as early as possible, and agree with Jan that your strategy of releasing the fix asap and delaying the explanation is a good one.
IMO critical security issues can hurt confidence in a platform, but behaviour like this does the opposite. Good work, and thanks :)
|Re: Node v0.10.21 (Stable)||Gabriel Falkenberg||10/19/13 2:40 PM|
|Re: [nodejs] Re: Node v0.10.21 (Stable)||Ben Noordhuis||10/19/13 3:36 PM|
On Sat, Oct 19, 2013 at 11:40 PM, Gabriel FalkenbergWe use major.minor.patch version numbers. It's the minor number that
determines whether a release is stable. That means v0.10.x releases
are stable while v0.11.x releases are unstable (from an API/ABI
|Re: Node v0.10.21 (Stable)||Jonathan Rudenberg||10/20/13 1:11 PM|
I went ahead and requested a CVE:
|Re: [nodejs] Re: Node v0.10.21 (Stable)||Arunoda Susiripala||10/21/13 2:09 AM|
You've a point. But If some really need to exploit this, you will do the attack anyhow.
But I hope this is to prevent specially script kiddies exploiting node using this issue. I think this is a good idea.