STE WILLIAMS

Sysadmins: within around the next 24 to 48 hours, watch out for an upcoming update to node.js to cover off a couple of vulnerabilities.

The most serious, CVE-2015-8027, is a remotely-exploitable denial-of-service (DoS) bug that the node.js Foundation is keeping embargoed until the patch is issued.

The DoS bug affects all versions of v0.12.x through to v5.x, but not versions 0.10.x.

The second, CVE-2015-6764, is an out-of-bounds access vulnerability only affects v4.x and v5.x. An attacker can trigger an out-of-bounds access and/or denial-of-service “if user-supplied JavaScript can be executed by an application”, the advisory says.

The foundation reckon’s the second bug is only of medium severity.

The fixes are scheduled 1 December USA time / 2 December UTC.

The node.js Foundation community manager Mikeal Rogers told Infoworld there are so far no exploits for the bugs in the wild. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/01/nodejs_sysadmins_get_ready_to_patch/