Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 415103

Summary: net-libs/nodejs-0.6.17 version bump : HTTP Server Security Vulnerability
Product: Gentoo Linux Reporter: SchAmane <schamane>
Component: New packagesAssignee: Gentoo Linux bug wranglers <bug-wranglers>
Status: RESOLVED DUPLICATE    
Severity: normal CC: patrick
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://blog.nodejs.org/2012/05/07/http-server-security-vulnerability-please-upgrade-to-0-6-17/
Whiteboard:
Package list:
Runtime testing required: ---

Description SchAmane 2012-05-08 08:27:52 UTC 
Please bump new version.
Security issue.


A carefully crafted attack request can cause the contents of the HTTP parser’s buffer to be appended to the attacking request’s header, making it appear to come from the attacker. Since it is generally safe to echo back contents of a request, this can allow an attacker to get an otherwise correctly designed server to divulge information about other requests. It is theoretically possible that it could enable header-spoofing attacks, though such an attack has not been demonstrated.

Versions affected: All versions of the 0.5/0.6 branch prior to 0.6.17, and all versions of the 0.7 branch prior to 0.7.8. Versions in the 0.4 branch are not affected.
Fix: Upgrade to v0.6.17, or apply the fix in c9a231d to your system.
Comment 1 Patrick Lauer gentoo-dev 2012-05-08 08:32:34 UTC 

*** This bug has been marked as a duplicate of bug 415075 ***