"A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault." New ebuilds are in place, so now =nodejs-0.10.30 needs to be stabilized.
amd64 stable
x86 stable. Maintainer(s), please cleanup.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA Vote: No
NO too. Keeping open for cleanup.
+ 06 Aug 2014; Patrick Lauer <patrick@gentoo.org> -nodejs-0.10.21.ebuild: + Remove old All vulnerable removed
CVE-2014-5256 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5256): Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
