Path Validation Vunerability

768 views
Skip to first unread message

Michael Dawson

unread,
Sep 27, 2017, 10:14:32 AM9/27/17
to nodejs-sec
Summary

The Node.js project released a new versions of 8.x this week which incorporates a security fix.

Impact

Version 8.5.0 of Node.js is vulnerable.
4.x and 6.x versions are NOT vulnerable.

Downloads

Node.js-specific security flaws

Node.js version 8.5.0 included a change which caused a security vulnerability in the checks on paths made by some community modules. As a result, an attacker may be able to access file system paths other than those intended.

This problem was resolved within Node.js by partially reverting https://github.com/nodejs/node/commit/b98e8d995efb426bbdee56ce503017bdcbbc6332.

A CVE will be requested and the number will be posted once available.

Contact and future updates

The current Node.js security policy can be found at https://nodejs.org/en/security/.

Please contact secu...@nodejs.org if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organisation.

Michael Dawson

unread,
Sep 27, 2017, 4:38:58 PM9/27/17
to Stephen Gallagher, nodejs-sec
Yes the download link in the post points to version 8.6.0


Regards,

Michael (M.H.) Dawson
Runtime Technologies Node.js Technical Lead
Software Developer and Master Inventor


Phone:1-613-356-5484 | Phone:1-343-882-2473
E-mail:
Michael...@ca.ibm.com
Find me on:
LinkedIn: https://ca.linkedin.com/in/michael-dawson-6051282 Twitter: https://twitter.com/@mhdawson1


3755 Riverside Drive
Ottawa, ON K1V 1B8
Canada





From:        Stephen Gallagher <ste...@gallagherhome.com>
To:        Michael Dawson <michael...@ca.ibm.com>, nodejs-sec <nodej...@googlegroups.com>
Date:        09/27/2017 12:41 PM
Subject:        Re: Path Validation Vunerability




It was unclear from this email; is this fix included in the recent Node.js 8.6.0 release?


On Wed, Sep 27, 2017 at 10:14 AM Michael Dawson <michael...@ca.ibm.com> wrote:
Summary

The Node.js project released a new versions of 8.x this week which incorporates a security fix.

Impact

Version 8.5.0 of Node.js is vulnerable.
4.x and 6.x versions are NOT vulnerable.

Downloads
Node.js 8 (Current)

Node.js-specific security flaws

Node.js version 8.5.0 included a change which caused a security vulnerability in the checks on paths made by some community modules. As a result, an attacker may be able to access file system paths other than those intended.

This problem was resolved within Node.js by partially reverting https://github.com/nodejs/node/commit/b98e8d995efb426bbdee56ce503017bdcbbc6332.

A CVE will be requested and the number will be posted once available.

Contact and future updates

The current Node.js security policy can be found at https://nodejs.org/en/security/.

Please contact secu...@nodejs.orgif you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-secto stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organisation.
--
You received this message because you are subscribed to the Google Groups "nodejs-sec" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
nodejs-sec+...@googlegroups.com.
For more options, visit
https://groups.google.com/d/optout.


Michael Dawson

unread,
Sep 29, 2017, 4:22:30 PM9/29/17
to nodejs-sec
Reply all
Reply to author
Forward
0 new messages