Timothy J Fontaine of the NodeJS reports the following security issue: This release contains a security fix for the http server implementation, please upgrade as soon as possible. Details will be released soon. 2013.10.18, Version 0.10.21 (Stable) * http: provide backpressure for pipeline flood (isaacs) https://groups.google.com/forum/#!topic/nodejs/NEbweYB0ei0 https://github.com/joyent/node/issues/6214 https://github.com/joyent/node/commit/085dd30e93da67362f044ad1b3b6b2d997064692 Fixed upstream in version 0.10.21 and 0.8.26: http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/ http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/
Created nodejs tracking bugs for this issue: Affects: fedora-all [bug 1021171] Affects: epel-6 [bug 1021172]
For backporting, some patches are available: 0.10.x: https://github.com/joyent/node/commit/b97c28f59ee898a81f0df988c249359c9b42701d 0.8.x: https://github.com/joyent/node/commit/653d4db71f569ddc87a0bc21f5ecc5ceaf37f932 And a decent technical overview can be found here: https://news.ycombinator.com/item?id=6575080
The 0.8.x patches go fairly cleanly into 0.6.20. Looking at the code that is patched, I am fairly sure that 0.6.20 is vulnerable to this attack. I'm also quite confident that the 0.8.x patch fixes the problem. I have not tested either the vulnerability or the fix.
Fedora has never shipped anything older than 0.10.x (well, the 0.9.x development branch), so I suspect figuring out if it applies to 0.6.x is pretty much academic. I *think* Red Hat has also only ever shipped 0.10.x in Software Collections.
0.6.x was shipped with OpenShift Enterprise and is in use by OpenShift Online.
libuv-0.10.18-1.fc19, nodejs-0.10.21-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
libuv-0.10.18-1.fc18, nodejs-0.10.21-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
A test case for this issue is part of nodejs test suite: https://github.com/joyent/node/blob/v0.10.21-release/test/simple/test-http-pipeline-flood.js Metasploit also includes a module for this issue: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/nodejs_pipelining.rb
libuv-0.10.18-1.el6, nodejs-0.10.21-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
libuv-0.10.18-1.fc20, nodejs-0.10.21-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2013:1842 https://rhn.redhat.com/errata/RHSA-2013-1842.html
OpenShift 2.1 uses SCL nodejs now, so removing from affected products.
nodejs 0.6 also appears to be vulnerable, the affected code: in 0.10: if (parser.socket.readable) { // force to read the next incoming message readStart(parser.socket); } in 0.6: if (parser.socket.readable) { // force to read the next incoming message parser.socket.resume(); }
Statement: OpenShift Enterprise 1.2 is in a lifecycle phase that only provides Critical and Important security updates, as this issue is rated Moderate this issue will not be fixed. For additional information, refer to the Red Hat OpenShift Enterprise Life Cycle: https://access.redhat.com/support/policy/updates/openshift.