Node.js Fixes Java Security Holes

Wednesday, May 9, 2012 @ 02:05 PM gHale


Node.js developers said all users should upgrade to the latest stable release of their JavaScript-based, event-driven, application framework, as soon as possible.

Version 0.6.17 of Node.js closes a security hole in Node’s HTTP implementation that could suffer from an exploitation by a remote attacker to access private information.

RELATED STORIES
Malware Looks to Steal Market Share
Using Malware for Recon Work
Russian Cybercrime Consolidates, Grows
Spammers: It Just Keeps Working

This could occur via appending the contents of the HTTP parser’s buffer to spoof a request header to make it appear to come from the attacker; echoing back the contents of such a request is usually safe, but in this case, it could expose information about other requests.

All versions of the 0.5.x and 0.6.x branches up to and including 0.6.16 suffer from the issue; versions 0.7.0 to 0.7.7 of the 0.7.x unstable development branch are also vulnerable. Upgrading to 0.6.17 or 0.7.8 fixes the problem. Alternatively, those who cannot or choose not to upgrade can apply a fix. The developers note the 0.6.17 update also fixes some other important bugs such as a file descriptor leak in sync functions.

Further information about this update is at the announcement blog post and in the change log. Node.js 0.6.17 is available to download for Windows, Mac OS X or as source from the project’s web site; documentation is available. Source code for Node.js publishes under an MIT license.



Leave a Reply

You must be logged in to post a comment.