Tue, 22 Oct 2013 17:42:10 UTC - vulnerability

Node.js is vulnerable to a denial of service attack when a client sends many pipelined HTTP requests on a single connection, and the client does not read the responses from the connection.

We recommend that anyone using Node.js v0.8 or v0.10 to run HTTP servers in production please update as soon as possible.

This is fixed in Node.js by pausing both the socket and the HTTP parser whenever the downstream writable side of the socket is awaiting a drain event. In the attack scenario, the socket will eventually time out, and be destroyed by the server. If the "attacker" is not malicious, but merely sends a lot of requests and reacts to them slowly, then the throughput on that connection will be reduced to what the client can handle.

There is no change to program semantics, and except in the pathological cases described, no changes to behavior.

If upgrading is not possible, then putting an HTTP proxy in front of the Node.js server can mitigate the vulnerability, but only if the proxy parses HTTP and is not itself vulnerable to a pipeline flood DoS.

For example, nginx will prevent the attack (since it closes connections after 100 pipelined requests by default), but HAProxy in raw TCP mode will not (since it proxies the TCP connection without regard for HTTP semantics).

This addresses CVE-2013-4450.

Fri, 18 Oct 2013 22:39:23 UTC - release

This release contains a security fix for the http server implementation, please upgrade as soon as possible. Details will be released soon.

2013.10.18, Version 0.10.21 (Stable)

  • uv: Upgrade to v0.10.18

  • crypto: clear errors from verify failure (Timothy J Fontaine)

  • dtrace: interpret two byte strings (Dave Pacheco)

  • fs: fix fs.truncate() file content zeroing bug (Ben Noordhuis)

  • http: provide backpressure for pipeline flood (isaacs)

  • tls: fix premature connection termination (Ben Noordhuis)

Source Code: http://nodejs.org/dist/v0.10.21/node-v0.10.21.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.21/node-v0.10.21.pkg

Windows Installer: http://nodejs.org/dist/v0.10.21/node-v0.10.21-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.10.21/x64/node-v0.10.21-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.10.21/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.10.21/node-v0.10.21-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.10.21/node-v0.10.21-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.10.21/node-v0.10.21-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.10.21/node-v0.10.21-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.10.21/

Website: http://nodejs.org/docs/v0.10.21/

Documentation: http://nodejs.org/docs/v0.10.21/api/

Shasums:

fb1318fb7721aa292310599e7c6696edebcfd70d  node-v0.10.21-darwin-x64.tar.gz
486235cc54d269d1961dfb150b1479ec14e83541  node-v0.10.21-darwin-x86.tar.gz
7528d2fa240a5dd88d37e4847cebec50ef40c8eb  node-v0.10.21-linux-x64.tar.gz
b372abf9d9c53bfe675e2c3f71dcfdece44edddd  node-v0.10.21-linux-x86.tar.gz
cb873cdff3f30aa198b52c8be3588745d2ee3933  node-v0.10.21-sunos-x64.tar.gz
020d202d7066b68f160d0ceebe8cc8306de25956  node-v0.10.21-sunos-x86.tar.gz
037ea0e3be3512da2bc94aa765fa89d61da3e275  node-v0.10.21-x86.msi
de2bd0e858f99098ef24f99f972b8088c1f0405c  node-v0.10.21.pkg
b7fd2a3660635af40e3719ca0db49280d10359b2  node-v0.10.21.tar.gz
a0e3988170beee1273a2fb6d650bf17db8495c67  node.exe
99332a03aeba8a22254d671665b9b2161a64bd84  node.exp
263dafeec907bd1f28ceb8272b9caaadceacb4d6  node.lib
76d578bf352772dc4db9ebb95fb61cf18e34c80d  node.pdb
b6d11b67ce7aaff5c7a456a4c85c80849a3d576e  pkgsrc/nodejs-ia32-0.10.21.tgz
b116825d1d2cbcfd567f730b1c2452424508b062  pkgsrc/nodejs-x64-0.10.21.tgz
29632c5a21a4ebf89703e417852306a676f6ede8  x64/node-v0.10.21-x64.msi
033b0a2b57e031a9e47f0b28eb4dc50a5389b592  x64/node.exe
f62b53229d77eaddf1f3a7909ef6533eea0e2295  x64/node.exp
8d5cfe83c3bc78ddcf79de9d065d1b4f2af9347e  x64/node.lib
6844e78e9ba80bfa48f6c150544e3e73d83dd316  x64/node.pdb

Fri, 18 Oct 2013 21:52:30 UTC - release

This release contains a security fix for the http server implementation, please upgrade as soon as possible. Details will be released soon.

2013.10.13, Version 0.8.26 (maintenance)

  • v8: Upgrade to 3.11.10.26

  • crypto: clear openssl error stack when handled (Ben Noordhuis)

  • crypto: clear errors from verify failure (Timothy J Fontaine)

  • crypto: fix memory leak in LoadPKCS12 (Fedor Indutny)

  • http: provide backpressure for pipeline flood (isaacs)

  • http_parser: expose pause/resume method for parser (Timothy J Fontaine)

  • readline: pause stdin before turning off terminal raw mode (Daniel Chatfield)

Source Code: http://nodejs.org/dist/v0.8.26/node-v0.8.26.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.8.26/node-v0.8.26.pkg

Windows Installer: http://nodejs.org/dist/v0.8.26/node-v0.8.26-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.8.26/x64/node-v0.8.26-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.8.26/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.8.26/node-v0.8.26-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.8.26/node-v0.8.26-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.8.26/node-v0.8.26-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.8.26/node-v0.8.26-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.8.26/

Website: http://nodejs.org/docs/v0.8.26/

Documentation: http://nodejs.org/docs/v0.8.26/api/

Shasums:

b9fa5fca6282a01d491ab585b6a6a64f23ea4da2  node-v0.8.26-darwin-x64.tar.gz
ba760b282f38f62ad333c2ecc69d3b296f87cf4a  node-v0.8.26-darwin-x86.tar.gz
c96470908234656c6060cbe0dab4502f90ca7cd1  node-v0.8.26-linux-x64.tar.gz
3b5c776ae8632df2a4c67b89bdd37d843135be90  node-v0.8.26-linux-x86.tar.gz
6b9b6bb2676b37ff63f240931f68aa22e9187e99  node-v0.8.26-sunos-x64.tar.gz
cb3f975293f9561fdda0b46571aee570576e0406  node-v0.8.26-sunos-x86.tar.gz
668bbc8240497675bb4ed3b61c6f7fb79772b264  node-v0.8.26-x86.msi
e51a33c28e2c75b0e40826100e5f6b84d5cf8d98  node-v0.8.26.pkg
2ec960bcc8cd38da271f83c1b2007c12da5153b3  node-v0.8.26.tar.gz
860ec0bcb6e89fcee3e45e56e469dd28cfcf400c  node.exe
ad0e366a82e8570768f5c92d97eebd8fd4a54f8f  node.exp
559a7b4e3c49b1071d1cd1374cf4bc4bae2aa558  node.lib
687eeb71782ac36f26aaba60e07bd92f47bfcf36  node.pdb
b10e28a100ab40169759bd431ccc855de1763fa8  x64/node-v0.8.26-x64.msi
19b5210e212b3b5473c251786c3d22b8cb919f5f  x64/node.exe
6129121aad9d48ffa19a712f59e6acb9bff14eb1  x64/node.exp
4eb1822b10ec3b7a17deff1126725c30c5ef65b1  x64/node.lib
7f39e38b62ad44c774ae381a661726494b2f066e  x64/node.pdb

Mon, 30 Sep 2013 22:05:41 UTC - release

2013.09.30, Version 0.10.20 (Stable)

  • tls: fix sporadic hang and partial reads (Fedor Indutny)
    • fixes "npm ERR! cb() never called!"

Source Code: http://nodejs.org/dist/v0.10.20/node-v0.10.20.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.20/node-v0.10.20.pkg

Windows Installer: http://nodejs.org/dist/v0.10.20/node-v0.10.20-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.10.20/x64/node-v0.10.20-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.10.20/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.10.20/node-v0.10.20-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.10.20/node-v0.10.20-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.10.20/node-v0.10.20-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.10.20/node-v0.10.20-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.10.20/

Website: http://nodejs.org/docs/v0.10.20/

Documentation: http://nodejs.org/docs/v0.10.20/api/

Shasums:

6f827b5bb1184160a58e0aac711791b610c30afd  node-v0.10.20-darwin-x64.tar.gz
89869942f09351a5256f9ff68c3e1c363f108e7a  node-v0.10.20-darwin-x86.tar.gz
b7c0a79acddfaeda8af221acdd18640ef5c62e8a  node-v0.10.20-linux-x64.tar.gz
709cd1a646447036abe3f57ea6e33bb1d411c229  node-v0.10.20-linux-x86.tar.gz
dbe318556bc7a4d7ea47947600edcdb375a92d8e  node-v0.10.20-sunos-x64.tar.gz
b003527f645bfc8c65d890854e20c92edc1feb86  node-v0.10.20-sunos-x86.tar.gz
34015dac5e517492fec6584cacd2d9864056107e  node-v0.10.20-x86.msi
a0408be15afd0b5d34b8762edab6420339a8c4ff  node-v0.10.20.pkg
d8777ac318627c1413f01358ea5c455f0f86e4b5  node-v0.10.20.tar.gz
5f61f783345dc3663b03322d6387800d96560cd5  node.exe
bb81cb60eae4c6be9238aa05b5245f29609b6f96  node.exp
e06eab29b27de1908aa2cf624d438e15ee126640  node.lib
2495f7a88f0085df5206c0d0cb44131cf9715156  node.pdb
6036d6b1f2cf34a5055ed59b6519cb09cc6f86ff  pkgsrc/nodejs-ia32-0.10.20.tgz
9b743d9a5d80758e8cd9d436e165c9569fa9d0fd  pkgsrc/nodejs-x64-0.10.20.tgz
1b574ef4fe2ad61ce398415599f8f376b576e65d  x64/node-v0.10.20-x64.msi
7137043329a25c36ad24d11d8e4ce6e5ff8a72b2  x64/node.exe
624c5bdb06ddd726457fa7b04197069ba021016b  x64/node.exp
f61da5166124895495bd72520d6b6f730acc1cbc  x64/node.lib
efa36de57eda469254fab252f24ef67c17f96f00  x64/node.pdb

← Page 5

Page 7 →