Menu

JavaScript News

OpenSSL and Breaking UTF-8 Change (fixed in Node v0.8.27 and v0.10.29)

June 16th, 2014

Today we are releasing new versions of Node: node-v0.8.27 node-v0.10.29 First and foremost these releases address the current OpenSSL vulnerability CVE-2014-0224, for both 0.8 and 0.10 we’ve upgraded the version of the bundled OpenSSL to their fixed versions v1.0.0m and v1.0.1h respectively. Additionally these releases address the fact that V8 UTF-8 encoding would allow unmatched…

DoS Vulnerability (fixed in Node v0.8.26 and v0.10.21)

October 22nd, 2013

Node.js is vulnerable to a denial of service attack when a client sends many pipelined HTTP requests on a single connection, and the client does not read the responses from the connection. We recommend that anyone using Node.js v0.8 or v0.10 to run HTTP servers in production please update as soon as possible. v0.10.21 http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/…

HTTP Server Security Vulnerability: Please upgrade to 0.6.17

May 7th, 2012

tl;dr A carefully crafted attack request can cause the contents of the HTTP parser’s buffer to be appended to the attacking request’s header, making it appear to come from the attacker. Since it is generally safe to echo back contents of a request, this can allow an attacker to get an otherwise correctly designed server…