It was reported that HTTP header parsing in Node.js is vulnerable to response splitting attacks. While Node.js has been protecting against response splitting attacks by checking for CRLF characters, it is possible to compose response headers using Unicode characters that decompose to these characters, bypassing the checks previously in place. External Reference: https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
Created nodejs tracking bugs for this issue: Affects: fedora-all [bug 1306207] Affects: epel-all [bug 1306208]
Root cause analysis: http://blog.safebreach.com/2016/02/09/http-response-splitting-in-node-js-root-cause-analysis/
nodejs-0.10.42-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
nodejs-0.10.42-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
nodejs-0.10.42-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
nodejs-0.10.42-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Patches : master branch : https://github.com/nodejs/node/commit/7bef1b7907 4.x branch : https://github.com/nodejs/node/commit/cf2b714b02 0.10.x branch : https://github.com/nodejs/node/commit/5c94624
(In reply to Ján Rusnačko from comment #3) > Root cause analysis: > > http://blog.safebreach.com/2016/02/09/http-response-splitting-in-node-js- > root-cause-analysis/ The blog post has moved to: https://safebreach.com/Post/HTTP-Response-Splitting-in-Node-js-Root-Cause-Analysis
Openshift Enterprise is pointed to latest RHSCL Node 4 image, which is 4.6.2. Marking as not afffected.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2016-2216