Tue, 19 Aug 2014 22:12:08 UTC - release

2014.08.19, Version 0.10.31 (Stable)

  • v8: backport CVE-2013-6668

  • openssl: Update to v1.0.1i

  • npm: Update to v1.4.23

  • cluster: disconnect should not be synchronous (Sam Roberts)

  • fs: fix fs.readFileSync fd leak when get RangeError (Jackson Tian)

  • stream: fix Readable.wrap objectMode falsy values (James Halliday)

  • timers: fix timers with non-integer delay hanging. (Julien Gilli)

Source Code: http://nodejs.org/dist/v0.10.31/node-v0.10.31.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.31/node-v0.10.31.pkg

Windows Installer: http://nodejs.org/dist/v0.10.31/node-v0.10.31-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.10.31/x64/node-v0.10.31-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.10.31/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.10.31/node-v0.10.31-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.10.31/node-v0.10.31-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.10.31/node-v0.10.31-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.10.31/node-v0.10.31-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.10.31/

Website: http://nodejs.org/docs/v0.10.31/

Documentation: http://nodejs.org/docs/v0.10.31/api/

Shasums:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

863b3fa120f4122319c0caeead2c0ea609b08f72  node-v0.10.31-darwin-x64.tar.gz
ad2b5fc039f7a2377b38f63ec4a8c681e2ec78f7  node-v0.10.31-darwin-x86.tar.gz
0a47909aff7d52759972b0de915b624ede092ae2  node-v0.10.31-linux-x64.tar.gz
7b6841e2ecdee8bd4dd441a43671f50d878d2d84  node-v0.10.31-linux-x86.tar.gz
761dcfc520035cdd82f3813b9aac6645758e1319  node-v0.10.31-sunos-x64.tar.gz
d854aea39eba1d567f4a8d09cfdadba9bc4c55cb  node-v0.10.31-sunos-x86.tar.gz
bdec11406e09f5c86f117d263dd19bdcefbf2ca6  node-v0.10.31-x86.msi
02819349cb1add9a80678478f9f1001747745497  node-v0.10.31.pkg
80f2160b0525763b557742aa73d8dacf1a71e53c  node-v0.10.31.tar.gz
96ce878618748fb893828cf2beafe7306123edd8  node.exe
4313e2a9187781dfe39f6297e7826597b006dbb1  node.exp
9d0e24717526cacbb45a72f743f6dd927dc27633  node.lib
896d652532c5ca4a284fe768015d35a9ee31b205  node.pdb
d394cb4b0c2503cbad4e5b9db88b506f36520190  openssl-cli.exe
046e7d5e4a0db4f14f79c448d6eabe8ad9eb51bd  openssl-cli.pdb
3d472f087c60904238de60af375054e187494913  x64/node-v0.10.31-x64.msi
8fd456e9d10ce9da4433695d655ac56abf5816fa  x64/node.exe
928bf1c65f853f9891697627a53325fa74506318  x64/node.exp
fef0f550723e281b790408322b42358457598a53  x64/node.lib
b20b8c41581ee2eeb326217eb2a76fd762eaec67  x64/node.pdb
dacf285e445ca3cf9bf2147446d1c6621ec5e251  x64/openssl-cli.exe
9fc30c82e3cfecf5e4e40bc7b45a20161113b66d  x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlPzy7EACgkQfTP/nQJGQG1cxgCfQrq3/t+zd4tbXgqTiaYZTz07
LIgAn0VWYPZzTsdIeu4F2sH+r8UNRdXr
=zSrD
-----END PGP SIGNATURE-----

Thu, 31 Jul 2014 19:00:00 UTC - vulnerability

A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the process aborting while parsing.

This issue was identified by Tom Steele of ^Lift Security and Fedor Indunty, Node.js Core Team member worked closely with the V8 team to find our resolution.

The V8 issue is described here https://codereview.chromium.org/339883002

It has landed in the Node repository here: https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356

And has been released in the following versions:

The Fix

The backport of the fix for Node.js is

diff --git a/deps/v8/src/isolate.h b/deps/v8/src/isolate.h
index b90191d..2769ca7 100644
--- a/deps/v8/src/isolate.h
+++ b/deps/v8/src/isolate.h
@@ -1392,14 +1392,9 @@ class StackLimitCheck BASE_EMBEDDED {
  public:
   explicit StackLimitCheck(Isolate* isolate) : isolate_(isolate) { }

-  bool HasOverflowed() const {
+  inline bool HasOverflowed() const {
     StackGuard* stack_guard = isolate_->stack_guard();
-    // Stack has overflowed in C++ code only if stack pointer exceeds the C++
-    // stack guard and the limits are not set to interrupt values.
-    // TODO(214): Stack overflows are ignored if a interrupt is pending. This
-    // code should probably always use the initial C++ limit.
-    return (reinterpret_cast<uintptr_t>(this) < stack_guard->climit()) &&
-           stack_guard->IsStackOverflow();
+    return reinterpret_cast<uintptr_t>(this) < stack_guard->real_climit();
   }
  private:
   Isolate* isolate_;

Remediation

The best course of action is to patch or upgrade Node.js.

Mitigation

To mitigate against deep JSON parsing you can limit the size of the string you parse against, or ban clients who trigger a RangeError for parsing JSON.

There is no specific maximum size of a JSON string, though keeping the max to the size of your known message bodies is suggested. If your message bodies cannot be over 20K, there's no reason to accept 1MB bodies.

For web frameworks that do automatic JSON parsing, you may need to configure the routes that accept JSON payloads to have a maximum body size.

Thu, 31 Jul 2014 18:39:10 UTC - release

2014.07.31, Version 0.8.28 (maintenance)

  • v8: Interrupts must not mask stack overflow. (Fedor Indutny)

Source Code: http://nodejs.org/dist/v0.8.28/node-v0.8.28.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.8.28/node-v0.8.28.pkg

Windows Installer: http://nodejs.org/dist/v0.8.28/node-v0.8.28-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.8.28/x64/node-v0.8.28-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.8.28/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.8.28/node-v0.8.28-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.8.28/node-v0.8.28-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.8.28/node-v0.8.28-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.8.28/node-v0.8.28-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.8.28/

Website: http://nodejs.org/docs/v0.8.28/

Documentation: http://nodejs.org/docs/v0.8.28/api/

Shasums:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

3e6fcb94f48c911774632d33e98e2d635b136b24  node-v0.8.28-darwin-x64.tar.gz
1254edd0e7778555e2ae5861bc228ab4bf3397ac  node-v0.8.28-darwin-x86.tar.gz
a17fc55576af625ec12e366b30c4a44870a5f194  node-v0.8.28-linux-x64.tar.gz
835f784d38675a789ee269e08f266a2ab46aa09c  node-v0.8.28-linux-x86.tar.gz
39750b9b4d792e42b85dd0a620e781de8de23471  node-v0.8.28-sunos-x64.tar.gz
1d44e2e66219617ba8565c9a7ef05e999aaab34f  node-v0.8.28-sunos-x86.tar.gz
77f94aa76d204fa9e8e9b906dd045b157221a1f2  node-v0.8.28-x86.msi
ea2b94d75658914ddfe6a536ef27d1c016156e2d  node-v0.8.28.tar.gz
34d7b1561e32a207ed1de8089305d95773ee3762  node.exe
8fb6bb05c84b5621124e164877b32941ad7a441f  node.exp
e1cba9b0aafbd9185a84e612df002a95e58d5e68  node.lib
2f74410204ce93db1ee98ee4c8a560dfaa4a02cb  node.pdb
ae0f6c7296bd36c91cb8335c07c1f27d95fb056a  x64/node-v0.8.28-x64.msi
0d2a88f7e331b25d16b30e37d768ecce7aafc23a  x64/node.exe
374539be666e92b9b0756e9a9d199012dcc3da3e  x64/node.exp
70f0fa0d13730a5ce261a0153eb665a918544e1a  x64/node.lib
94000769cd6448b2523e71bb68628a7c10b0ea3c  x64/node.pdb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlPajJYACgkQfTP/nQJGQG0TGACeIxA8Thy6bJBIgx2SA6FrwiT5
FFoAoIvg2Zhls64/rs3hUSPeguo2H8zU
=6O1o
-----END PGP SIGNATURE-----

Thu, 31 Jul 2014 18:11:40 UTC - release

2014.07.31, Version 0.10.30 (Stable)

  • uv: Upgrade to v0.10.28

  • npm: Upgrade to v1.4.21

  • v8: Interrupts must not mask stack overflow.

  • Revert "stream: start old-mode read in a next tick" (Fedor Indutny)

  • buffer: fix sign overflow in readUIn32BE (Fedor Indutny)

  • buffer: improve {read,write}{U}Int* methods (Nick Apperson)

  • child_process: handle writeUtf8String error (Fedor Indutny)

  • deps: backport 4ed5fde4f from v8 upstream (Fedor Indutny)

  • deps: cherry-pick eca441b2 from OpenSSL (Fedor Indutny)

  • lib: remove and restructure calls to isNaN() (cjihrig)

  • module: eliminate double getenv() (Maciej MaƂecki)

  • stream2: flush extant data on read of ended stream (Chris Dickinson)

  • streams: remove unused require('assert') (Rod Vagg)

  • timers: backport f8193ab (Julien Gilli)

  • util.h: interface compatibility (Oguz Bastemur)

  • zlib: do not crash on write after close (Fedor Indutny)

Source Code: http://nodejs.org/dist/v0.10.30/node-v0.10.30.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.30/node-v0.10.30.pkg

Windows Installer: http://nodejs.org/dist/v0.10.30/node-v0.10.30-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.10.30/x64/node-v0.10.30-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.10.30/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.10.30/node-v0.10.30-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.10.30/node-v0.10.30-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.10.30/node-v0.10.30-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.10.30/node-v0.10.30-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.10.30/

Website: http://nodejs.org/docs/v0.10.30/

Documentation: http://nodejs.org/docs/v0.10.30/api/

Shasums:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

4a16fc8768594cad5b4635e709afa035c2ffc0a1  node-v0.10.30-darwin-x64.tar.gz
92111c64e874c2bee24f35aa4bf8ba665d76e73e  node-v0.10.30-darwin-x86.tar.gz
35c3a2156e4ed7561a68efc70ee73069afe47174  node-v0.10.30-linux-x64.tar.gz
d7f222b3519df636be8e47e8ddb2c2ecb03f4060  node-v0.10.30-linux-x86.tar.gz
866541db248ced6b076e9fa13d6125159007a6a6  node-v0.10.30-sunos-x64.tar.gz
6abad0a47c67a5eec24ba3022108b53bcb00b376  node-v0.10.30-sunos-x86.tar.gz
0824d4d86ee38b58871344676162d797f4d74abb  node-v0.10.30-x86.msi
9f20513f167c0e8ebb7ea5e9f633272e72e3bec4  node-v0.10.30.pkg
bcef88d76c39147c79a28aa9e5d484564eb3ba7e  node-v0.10.30.tar.gz
50ad72fd5646d92ae9afcd39ffb084f6de925903  node.exe
22bd794611288027a6a1d995295f8f2ea092cb9e  node.exp
88cfd5e9d42d006df4c0709e3b10ec2d198578d9  node.lib
0f753fee3f82e98c232017a2977bb730bf73b42e  node.pdb
ea4c28e8c5f6eaa296be82aba8f52d5a90cd9633  openssl-cli.exe
abe93255f729922b55449f8c867ee9e82ae32cad  openssl-cli.pdb
4843e84a9170f503289df25029a32a1876106e7f  pkgsrc/nodejs-ia32-0.10.30.tgz
d283ef358257cc22ab421158d82906d388b024a8  pkgsrc/nodejs-x64-0.10.30.tgz
674491bd761a4c3e7485d2284e110ad8e7974bc0  x64/node-v0.10.30-x64.msi
b88ff4594e46a6e5403c84cd36805b8cf644f1df  x64/node.exe
a77dd6018caca01cdebfad41062ae62b4d9e73b9  x64/node.exp
46b4b56efa01d4feed4ea6a45b21e7e2fca6e5c8  x64/node.lib
d922b71c9a900b3e8ead4ae3c4ed262612c92085  x64/node.pdb
17678b0cba89ccec0478085257016b2b9c3f8c59  x64/openssl-cli.exe
428b5fa970ef89265fa738062af401b7f4f0216f  x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlPahtAACgkQfTP/nQJGQG0xFwCdFNK+Lw1hSjrlilasgcTdzeYf
MEcAn1mliYSkRCFDrC2YLz8qsyrXY6tK
=xxqm
-----END PGP SIGNATURE-----

Page 2 →