---------- Forwarded message ----------
From: Rod Vagg <rvagg@nodesource.com>
Date: Fri, Jul 3, 2015 at 8:47 PM
Subject: NODE.JS SECURITY: Node.js v0.12.6 and io.js v2.3.3
To: security@nodejs.org
Bcc: tchollingsworth@gmail.com


The Node.js Foundation TSC sincerely apologizes for the rushed
handling of this security fix. Evening in the USA on the weekend of
the 4th of July is not ideal and we would have preferred make a more
measured response to this incident.

We made the call to push forward because details about the bug and
potential exploit has inadvertently made its way to a public forum. We
decided that we would rather provide companies and users the tools to
protect themselves and mitigate DoS attacks if they become a reality.

If you are using Node.js v0.12 or any version if io.js please upgrade.
Node.js v0.10 is not affected.

* Node.js v0.12.6 is available at http://nodejs.org/dist/latest/
* io.js v2.3.3 is available at https://iojs.org/dist/latest/
* io.js v1.8.3 is available at https://iojs.org/dist/v1.8.3/ for any users
still on v1.8.

The quick summary of the bug: Kris Reeves and Trevor Norris pinpointed
a bug in V8 in the way it decodes UTF strings. This impacts Node at
`Buffer` to UTF8 `String` conversions and can cause a process to
crash. The security concern comes from the fact that a lot of data
from outside of an application is delivered to Node via this mechanism
which means that users can potentially deliver specially crafted input
data that can cause an application to crash when it goes through this
path. We know that most networking and filesystem operations are
impacted as would be many user-land uses of `Buffer` to UTF8 `String`
conversion. We know that HTTP(S) header parsing is _not_ vulnerable
because Node does not convert this data as UTF8. This is a small
consolation because it restricts the way HTTP(S) can be exploited but
there is more to HTTP(S) than header parsing obviously and we have
confirmed that HTTP(S) is vulnerable via body parsing. We also have no
information yet on how the various TLS terminators and forward-proxies
in use may potentially mitigate against the form of data required for
this exploit but it would be safe to assume that these are not a
protective layer against a DoS attack.

An initial ETA provided was midday PDT on the 3rd, that was based on
the information we had available. Unfortunately, the patch was not
quite ready and there was an extended test and verification process
for V8, io.js and Node.js during the day. The builds also take some
time on top of that, hence the delay. Fedor Indutny created the fix,
Ben Noordhuis, Trevor Norris, Julien Gilli, Michael Dawson and
Jeremiah Senkpiel all worked very hard to make this land successfully.

If you have any further questions or concerns please contact us at
security@nodejs.org or respond to this email.

- Node.js Foundation TSC

--

This vulnerability does not affect the 0.10.x series shipped in Fedora, EPEL, and all Red Hat products that I am aware of.  This is just a courtesy notice in case you all are using 0.12 or io.js anywhere.