Hi, all!
So, last night I pushed an update for an undisclosed security update and promptly went to the bar afterward, and in the intervening time the whole Internet has gone crazy!
Now it's fairly widely reported that this is a pretty nasty DoS vulnerability, so I'd appreciate some karma on the following updates so we can get this pushed stable ASAP. They've all been pushed to testing as of now.
F20: https://admin.fedoraproject.org/updates/FEDORA-2013-19512/ F19: https://admin.fedoraproject.org/updates/FEDORA-2013-19497/ F18: https://admin.fedoraproject.org/updates/FEDORA-2013-19491/ EL6: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11891/
Upstream has somewhat deservedly been put through the ringer for handling this improperly, but in their defense the initial report was just made publicly on github instead of by mail to security@nodejs.org so they were pretty much screwed from the get go. I did at least receive a nice apology in my inbox today from one of the lead developers for the lack of early notice to distributions.
Thanks in advance! -T.C.
Has there been a CVE issued (or requested) by upstream? I looked at the original announcement link, but they seem not to be describing the issue. This is problematic.
I'm CCing Vincent Danen of Red Hat's security response team and also the people responsible for Node.js in the Developer Toolset (which carries Node.js now) in case they aren't on the Fedora Node.js list.
On Oct 19, 2013, at 8:26 PM, "T.C. Hollingsworth" tchollingsworth@gmail.com wrote:
Hi, all!
So, last night I pushed an update for an undisclosed security update and promptly went to the bar afterward, and in the intervening time the whole Internet has gone crazy!
Now it's fairly widely reported that this is a pretty nasty DoS vulnerability, so I'd appreciate some karma on the following updates so we can get this pushed stable ASAP. They've all been pushed to testing as of now.
F20: https://admin.fedoraproject.org/updates/FEDORA-2013-19512/ F19: https://admin.fedoraproject.org/updates/FEDORA-2013-19497/ F18: https://admin.fedoraproject.org/updates/FEDORA-2013-19491/ EL6: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11891/
Upstream has somewhat deservedly been put through the ringer for handling this improperly, but in their defense the initial report was just made publicly on github instead of by mail to security@nodejs.org so they were pretty much screwed from the get go. I did at least receive a nice apology in my inbox today from one of the lead developers for the lack of early notice to distributions.
Thanks in advance! -T.C. _______________________________________________ nodejs mailing list nodejs@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/nodejs
On Sat, Oct 19, 2013 at 5:36 PM, Stephen Gallagher sgallagh@redhat.com wrote:
Has there been a CVE issued (or requested) by upstream?
There's a request: http://www.openwall.com/lists/oss-security/2013/10/19/4
I looked at the original announcement link, but they seem not to be describing the issue. This is problematic.
All I know is what the community has figured out thus far. ;-)
This provides a decent technical overview of the issue: https://news.ycombinator.com/item?id=6575080
It's also been reported that reverse-proxying (with nginx, haproxy, etc.) may mitigate the issue since node isn't directly facing the Internet as a HTTP server. (This is very common in production deployments, as you can imagine.)
If you need further information from a canonical source, please contact Isaac Schuleter (the lead developer at Joyent) at i@izs.me.
I'm CCing Vincent Danen of Red Hat's security response team and also the people responsible for Node.js in the Developer Toolset (which carries Node.js now) in case they aren't on the Fedora Node.js list.
If you need to backport, this is the patch for 0.10.x: https://github.com/joyent/node/commit/b97c28f59ee898a81f0df988c249359c9b4270...
And for 0.8.x: https://github.com/joyent/node/commit/653d4db71f569ddc87a0bc21f5ecc5ceaf37f9...
0.6.x may also be affected, but upstream ended support for that branch in late 2012.
-T.C.
* [2013-10-19 18:54:57 -0700] T.C. Hollingsworth wrote:
On Sat, Oct 19, 2013 at 5:36 PM, Stephen Gallagher sgallagh@redhat.com wrote:
Has there been a CVE issued (or requested) by upstream?
There's a request: http://www.openwall.com/lists/oss-security/2013/10/19/4
I looked at the original announcement link, but they seem not to be describing the issue. This is problematic.
All I know is what the community has figured out thus far. ;-)
This provides a decent technical overview of the issue: https://news.ycombinator.com/item?id=6575080
It's also been reported that reverse-proxying (with nginx, haproxy, etc.) may mitigate the issue since node isn't directly facing the Internet as a HTTP server. (This is very common in production deployments, as you can imagine.)
If you need further information from a canonical source, please contact Isaac Schuleter (the lead developer at Joyent) at i@izs.me.
I'm CCing Vincent Danen of Red Hat's security response team and also the people responsible for Node.js in the Developer Toolset (which carries Node.js now) in case they aren't on the Fedora Node.js list.
If you need to backport, this is the patch for 0.10.x: https://github.com/joyent/node/commit/b97c28f59ee898a81f0df988c249359c9b4270...
And for 0.8.x: https://github.com/joyent/node/commit/653d4db71f569ddc87a0bc21f5ecc5ceaf37f9...
0.6.x may also be affected, but upstream ended support for that branch in late 2012.
Sorry, a little late to reply to this.
This was assigned CVE-2013-4450 and we have a bug here:
https://bugzilla.redhat.com/show_bug.cgi?id=1021170
Thanks for the links to the backported patches; I've noted those in our bug.
nodejs@lists.fedoraproject.org
-
Stephen Gallagher -
T.C. Hollingsworth -
Vincent Danen