Tue, 16 Sep 2014 23:52:44 UTC - release

2014.09.16, Version 0.10.32 (Stable)

  • npm: Update to 1.4.28

  • v8: fix a crash introduced by previous release (Fedor Indutny)

  • configure: add --openssl-no-asm flag (Fedor Indutny)

  • crypto: use domains for any callback-taking method (Chris Dickinson)

  • http: do not send 0rnrn in TE HEAD responses (Fedor Indutny)

  • querystring: fix unescape override (Tristan Berger)

  • url: Add support for RFC 3490 separators (Mathias Bynens)

Source Code: http://nodejs.org/dist/v0.10.32/node-v0.10.32.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.32/node-v0.10.32.pkg

Windows Installer: http://nodejs.org/dist/v0.10.32/node-v0.10.32-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.10.32/x64/node-v0.10.32-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.10.32/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.10.32/node-v0.10.32-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.10.32/node-v0.10.32-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.10.32/node-v0.10.32-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.10.32/node-v0.10.32-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.10.32/

Website: http://nodejs.org/docs/v0.10.32/

Documentation: http://nodejs.org/docs/v0.10.32/api/

Shasums:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

e2e1e876514ee33b2dd019c25dcb4bc7cdaff414  node-v0.10.32-darwin-x64.tar.gz
ff48e0be62f42e03218bbb00d5088251088f93bd  node-v0.10.32-darwin-x86.tar.gz
fadefc15a992d21bd19d0d3ec174390d1e7fcb72  node-v0.10.32-linux-x64.tar.gz
40fa3f0b0a3eaa3a6da7975b7935d0809d0e8ac7  node-v0.10.32-linux-x86.tar.gz
b171f2285b5088f125a36e88b5313364302882e8  node-v0.10.32-sunos-x64.tar.gz
ef213a76b4945ab13edb6833af47d8f77b4841ac  node-v0.10.32-sunos-x86.tar.gz
f2538f0037c017f245db6b54c6b8198bec2868c9  node-v0.10.32-x86.msi
6171c86864205400e5b670c1218614bb0c969107  node-v0.10.32.pkg
1d748171ba2a9568853ccec442c5f62c46fccc20  node-v0.10.32.tar.gz
2cb67e294fa7929bb5e51a3f51d53e6e8731bdc9  node.exe
00d6d8a5137ec5d37660c16b72f756a9e2bc92fe  node.exp
3688c7f807641af9f0c3858e34f5fc97ce8109fd  node.lib
3b3746d07c24d25b0a00f9a5a2a2967554d3d8cb  node.pdb
0fd292fd5911d1ef3d27dc60cf246c0dde2e8124  openssl-cli.exe
8d51cd58f156a07785a618e3f9065e2d6ea24ee6  openssl-cli.pdb
df83faf27410a6fb7f099c29338c52b7d4224e2f  x64/node-v0.10.32-x64.msi
0a52577221e7c5272cac2e5ef324c031ab23f13d  x64/node.exe
88682bc4dc10208fd2fb8505a1aa4155ab0e5790  x64/node.exp
1ea6d44876afdaf263e378918f1edc35630561f7  x64/node.lib
d1c5e98f218b3fec0ff3e6489ded94b8353191d6  x64/node.pdb
14664ceeed377f0d0e5f3f5ad00b56e80ac7c323  x64/openssl-cli.exe
653a3719ac038f9d05737c717cd44af9043d38c1  x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlQYzUAACgkQfTP/nQJGQG23+ACffME3MVg4mQsWHq5vY7HAms+b
brkAn32kNnqtOqV3QQ31xdJ+/4RLKLi/
=R3H/
-----END PGP SIGNATURE-----

Tue, 19 Aug 2014 22:12:08 UTC - release

2014.08.19, Version 0.10.31 (Stable)

  • v8: backport CVE-2013-6668

  • openssl: Update to v1.0.1i

  • npm: Update to v1.4.23

  • cluster: disconnect should not be synchronous (Sam Roberts)

  • fs: fix fs.readFileSync fd leak when get RangeError (Jackson Tian)

  • stream: fix Readable.wrap objectMode falsy values (James Halliday)

  • timers: fix timers with non-integer delay hanging. (Julien Gilli)

Source Code: http://nodejs.org/dist/v0.10.31/node-v0.10.31.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.31/node-v0.10.31.pkg

Windows Installer: http://nodejs.org/dist/v0.10.31/node-v0.10.31-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.10.31/x64/node-v0.10.31-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.10.31/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.10.31/node-v0.10.31-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.10.31/node-v0.10.31-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.10.31/node-v0.10.31-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.10.31/node-v0.10.31-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.10.31/

Website: http://nodejs.org/docs/v0.10.31/

Documentation: http://nodejs.org/docs/v0.10.31/api/

Shasums:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

863b3fa120f4122319c0caeead2c0ea609b08f72  node-v0.10.31-darwin-x64.tar.gz
ad2b5fc039f7a2377b38f63ec4a8c681e2ec78f7  node-v0.10.31-darwin-x86.tar.gz
0a47909aff7d52759972b0de915b624ede092ae2  node-v0.10.31-linux-x64.tar.gz
7b6841e2ecdee8bd4dd441a43671f50d878d2d84  node-v0.10.31-linux-x86.tar.gz
761dcfc520035cdd82f3813b9aac6645758e1319  node-v0.10.31-sunos-x64.tar.gz
d854aea39eba1d567f4a8d09cfdadba9bc4c55cb  node-v0.10.31-sunos-x86.tar.gz
bdec11406e09f5c86f117d263dd19bdcefbf2ca6  node-v0.10.31-x86.msi
02819349cb1add9a80678478f9f1001747745497  node-v0.10.31.pkg
80f2160b0525763b557742aa73d8dacf1a71e53c  node-v0.10.31.tar.gz
96ce878618748fb893828cf2beafe7306123edd8  node.exe
4313e2a9187781dfe39f6297e7826597b006dbb1  node.exp
9d0e24717526cacbb45a72f743f6dd927dc27633  node.lib
896d652532c5ca4a284fe768015d35a9ee31b205  node.pdb
d394cb4b0c2503cbad4e5b9db88b506f36520190  openssl-cli.exe
046e7d5e4a0db4f14f79c448d6eabe8ad9eb51bd  openssl-cli.pdb
3d472f087c60904238de60af375054e187494913  x64/node-v0.10.31-x64.msi
8fd456e9d10ce9da4433695d655ac56abf5816fa  x64/node.exe
928bf1c65f853f9891697627a53325fa74506318  x64/node.exp
fef0f550723e281b790408322b42358457598a53  x64/node.lib
b20b8c41581ee2eeb326217eb2a76fd762eaec67  x64/node.pdb
dacf285e445ca3cf9bf2147446d1c6621ec5e251  x64/openssl-cli.exe
9fc30c82e3cfecf5e4e40bc7b45a20161113b66d  x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlPzy7EACgkQfTP/nQJGQG1cxgCfQrq3/t+zd4tbXgqTiaYZTz07
LIgAn0VWYPZzTsdIeu4F2sH+r8UNRdXr
=zSrD
-----END PGP SIGNATURE-----

Thu, 31 Jul 2014 19:00:00 UTC - vulnerability

A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the process aborting while parsing.

This issue was identified by Tom Steele of ^Lift Security and Fedor Indunty, Node.js Core Team member worked closely with the V8 team to find our resolution.

The V8 issue is described here https://codereview.chromium.org/339883002

It has landed in the Node repository here: https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356

And has been released in the following versions:

The Fix

The backport of the fix for Node.js is

diff --git a/deps/v8/src/isolate.h b/deps/v8/src/isolate.h
index b90191d..2769ca7 100644
--- a/deps/v8/src/isolate.h
+++ b/deps/v8/src/isolate.h
@@ -1392,14 +1392,9 @@ class StackLimitCheck BASE_EMBEDDED {
  public:
   explicit StackLimitCheck(Isolate* isolate) : isolate_(isolate) { }

-  bool HasOverflowed() const {
+  inline bool HasOverflowed() const {
     StackGuard* stack_guard = isolate_->stack_guard();
-    // Stack has overflowed in C++ code only if stack pointer exceeds the C++
-    // stack guard and the limits are not set to interrupt values.
-    // TODO(214): Stack overflows are ignored if a interrupt is pending. This
-    // code should probably always use the initial C++ limit.
-    return (reinterpret_cast<uintptr_t>(this) < stack_guard->climit()) &&
-           stack_guard->IsStackOverflow();
+    return reinterpret_cast<uintptr_t>(this) < stack_guard->real_climit();
   }
  private:
   Isolate* isolate_;

Remediation

The best course of action is to patch or upgrade Node.js.

Mitigation

To mitigate against deep JSON parsing you can limit the size of the string you parse against, or ban clients who trigger a RangeError for parsing JSON.

There is no specific maximum size of a JSON string, though keeping the max to the size of your known message bodies is suggested. If your message bodies cannot be over 20K, there's no reason to accept 1MB bodies.

For web frameworks that do automatic JSON parsing, you may need to configure the routes that accept JSON payloads to have a maximum body size.

Thu, 31 Jul 2014 18:39:10 UTC - release

2014.07.31, Version 0.8.28 (maintenance)

  • v8: Interrupts must not mask stack overflow. (Fedor Indutny)

Source Code: http://nodejs.org/dist/v0.8.28/node-v0.8.28.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.8.28/node-v0.8.28.pkg

Windows Installer: http://nodejs.org/dist/v0.8.28/node-v0.8.28-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.8.28/x64/node-v0.8.28-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.8.28/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.8.28/node-v0.8.28-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.8.28/node-v0.8.28-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.8.28/node-v0.8.28-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.8.28/node-v0.8.28-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.8.28/

Website: http://nodejs.org/docs/v0.8.28/

Documentation: http://nodejs.org/docs/v0.8.28/api/

Shasums:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

3e6fcb94f48c911774632d33e98e2d635b136b24  node-v0.8.28-darwin-x64.tar.gz
1254edd0e7778555e2ae5861bc228ab4bf3397ac  node-v0.8.28-darwin-x86.tar.gz
a17fc55576af625ec12e366b30c4a44870a5f194  node-v0.8.28-linux-x64.tar.gz
835f784d38675a789ee269e08f266a2ab46aa09c  node-v0.8.28-linux-x86.tar.gz
39750b9b4d792e42b85dd0a620e781de8de23471  node-v0.8.28-sunos-x64.tar.gz
1d44e2e66219617ba8565c9a7ef05e999aaab34f  node-v0.8.28-sunos-x86.tar.gz
77f94aa76d204fa9e8e9b906dd045b157221a1f2  node-v0.8.28-x86.msi
ea2b94d75658914ddfe6a536ef27d1c016156e2d  node-v0.8.28.tar.gz
34d7b1561e32a207ed1de8089305d95773ee3762  node.exe
8fb6bb05c84b5621124e164877b32941ad7a441f  node.exp
e1cba9b0aafbd9185a84e612df002a95e58d5e68  node.lib
2f74410204ce93db1ee98ee4c8a560dfaa4a02cb  node.pdb
ae0f6c7296bd36c91cb8335c07c1f27d95fb056a  x64/node-v0.8.28-x64.msi
0d2a88f7e331b25d16b30e37d768ecce7aafc23a  x64/node.exe
374539be666e92b9b0756e9a9d199012dcc3da3e  x64/node.exp
70f0fa0d13730a5ce261a0153eb665a918544e1a  x64/node.lib
94000769cd6448b2523e71bb68628a7c10b0ea3c  x64/node.pdb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlPajJYACgkQfTP/nQJGQG0TGACeIxA8Thy6bJBIgx2SA6FrwiT5
FFoAoIvg2Zhls64/rs3hUSPeguo2H8zU
=6O1o
-----END PGP SIGNATURE-----

Page 2 →