Has there been a CVE issued (or requested) by upstream? I looked at the original announcement link, but they seem not to be describing the issue. This is problematic.
I'm CCing Vincent Danen of Red Hat's security response team and also the people responsible for Node.js in the Developer Toolset (which carries Node.js now) in case they aren't on the Fedora Node.js list.
On Oct 19, 2013, at 8:26 PM, "T.C. Hollingsworth" tchollingsworth@gmail.com wrote:
Hi, all!
So, last night I pushed an update for an undisclosed security update and promptly went to the bar afterward, and in the intervening time the whole Internet has gone crazy!
Now it's fairly widely reported that this is a pretty nasty DoS vulnerability, so I'd appreciate some karma on the following updates so we can get this pushed stable ASAP. They've all been pushed to testing as of now.
F20: https://admin.fedoraproject.org/updates/FEDORA-2013-19512/ F19: https://admin.fedoraproject.org/updates/FEDORA-2013-19497/ F18: https://admin.fedoraproject.org/updates/FEDORA-2013-19491/ EL6: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11891/
Upstream has somewhat deservedly been put through the ringer for handling this improperly, but in their defense the initial report was just made publicly on github instead of by mail to security@nodejs.org so they were pretty much screwed from the get go. I did at least receive a nice apology in my inbox today from one of the lead developers for the lack of early notice to distributions.
Thanks in advance! -T.C. _______________________________________________ nodejs mailing list nodejs@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/nodejs