May 8, H Security – (International) Node.js update fixes information disclosure vulnerability. The Node.js developers are advising all users to upgrade to the latest stable release of their JavaScript-based, event-driven, application framework as soon as possible. Version 0.6.17 of Node.js closes a security hole in Node’s HTTP implementation that could be exploited by a remote attacker to access private information. This could be done by appending the contents of the HTTP parser’s buffer to spoof a request header to make it appear to come from the attacker; echoing back the contents of such a request is usually safe, but in this case could expose information about other requests. All versions of the 0.5.x and 0.6.x branches up to and including 0.6.16 are affected; versions 0.7.0 to 0.7.7 of the 0.7.x unstable development branch are also vulnerable. Upgrading to 0.6.17 or 0.7.8 fixes the problem. Alternatively, those who cannot or choose not to upgrade can apply a fix. The developers note that the 0.6.17 update also fixes some other important bugs such as a file descriptor leak in sync functions.
Source: http://www.h-online.com/security/news/item/Node-js-update-fixes-information-disclosure-vulnerability-1570157.html
