I reported this in the wrong place, sorry.
*** Bug 568898 has been marked as a duplicate of this bug. ***
CVE-2015-8027 Denial of Service Vulnerability
This critical denial of service (DoS) vulnerability impacts all versions of v0.12.x through to v5.x, inclusive. The vulnerability was discovered by Node.js core team member Fedor Indutny and relates to HTTP pipelining. Under certain conditions an HTTP socket may no longer have a parser associated with it but a pipelined request can trigger a pause or resume on the non-existent parser thereby causing an uncaughtException to be thrown. As these conditions can be created by an external attacker and cause a Node.js service to be shut down we consider this a critical vulnerability. It is recommended that users of impacted versions of Node.js exposing HTTP services upgrade to the appropriate patched versions as soon as practical.
Versions 0.10.x of Node.js are not affected.
Versions 0.12.x of Node.js are vulnerable, please upgrade to v0.12.9 (LTS).
Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).
Just a follow up as this bug has been around since December of 2015. To get rid of this vulnerability we need to:
Upgrade to v0.12.9+, v4.2.3+, and v5.1.1+
I'll take care of this. All ebuilds needs some changes but I'll keep it at a minimum to avoid issues with security bumping.
There are non vulnerable versions in the tree but not stable. Are we ready to go stable on 0.12.10 ??
I would like to move stable to 4.x, seeing how upstream does the same. Is that unfeasible? Otherwise, latest 0.12 would be good for me.
Seeing how I'm the proxy maint I feel responsible for lagging a bit; I'm currently moving my vm's from Australia to Germany which will finish end of this week. After that's done my plan is to bring all branches up to date (0.12, 4.x, 5.x and now the 6.x). My suggestion is to sunset 0.12, suggest 4.x as LTS and make sure that we keep 6.x up to date forward seeing how it will be the new LTS come q3.
4.4.1 is a good candidate then?
net-libs/nodejs-4.4.1 amd64 x86
net-libs/http-parser-2.6.2 amd64 ppc x86
*** Bug 578586 has been marked as a duplicate of this bug. ***
(In reply to Yury German from comment #5)
> There are non vulnerable versions in the tree but not stable. Are we ready
> to go stable on 0.12.10 ??
You tracking this?
Maintainer(s), please cleanup.
Security, please vote.
Maintainer(s), please drop the vulnerable version(s).
Since we have to file an earlier bug as GLSA, going to add this one to the list.
(In reply to Aaron Bauman from comment #13)
> Are we ready to go stable on 0.12.10 ??
> You tracking this?
Maintainers, We still have 0.12.X in tree that has not been patched. We need to mask it as part of cleanup.
Please clean the vulnerable versions.
0.12.6 is the last version that needs cleaned, but is the only stable for 0.12.x versions.
@maintainer, do you want to stabilize this?
Cleanup happened via bug 574418.
This issue was resolved and addressed in
GLSA 201612-43 at https://security.gentoo.org/glsa/201612-43
by GLSA coordinator Aaron Bauman (b-man).