Node.js 0.12.x prior to 0.12.9, 4.x prior to 4.2.3, and 5.x prior to 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote malicious users to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
nodejs node.js 0.12.7 |
||
nodejs node.js 0.12.6 |
||
nodejs node.js 5.1.0 |
||
nodejs node.js 5.0.0 |
||
nodejs node.js 0.12.4 |
||
nodejs node.js 0.12.3 |
||
nodejs node.js 4.2.0 |
||
nodejs node.js 0.12.8 |
||
nodejs node.js 0.12.1 |
||
nodejs node.js 0.12.5 |
||
nodejs node.js 4.2.2 |
||
nodejs node.js 4.2.1 |
||
nodejs node.js 0.12.2 |
||
nodejs node.js 0.12.0 |
iCloud and iTunes on Windows also need patching
Apple has published security updates for Xcode, iCloud for Windows, and iTunes for Windows. Xcode 8.1 plugs holes the Xcode server inherited from Chrome, OpenSSL and node.js. Apple's announcement is here. There's a bunch of OpenSSL patches to start with: CVE-2015-6764 and CVE-2016-1669 are bugs inherited from Google Chrome code. CVE-2016-2086, CVE-2016-2216 and CVE-2015-8027 splat bugs in node.js. Cupertino has also updated iCloud for Windows against two bugs: CVE-2016-4613, reported by Google s...
DoS bug fix coming
Update: Patch delayed to include coming SSH fix Sysadmins: within around the next 24 to 48 hours, watch out for an upcoming update to node.js to cover off a couple of vulnerabilities. The most serious, CVE-2015-8027, is a remotely-exploitable denial-of-service (DoS) bug that the node.js Foundation is keeping embargoed until the patch is issued. The DoS bug affects all versions of v0.12.x through to v5.x, but not versions 0.10.x. The second, CVE-2015-6764, is an out-of-bounds access vulnerability...