[arch-security] [ASA-201510-3] nodejs: denial of service
Arch Linux Security Advisory ASA-201510-3 ========================================= Severity: Medium Date : 2015-10-06 CVE-ID : CVE-2015-7384 Package : nodejs Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package nodejs before version 4.1.2-1 is vulnerable to denial of service. Resolution ========== Upgrade to 4.1.2-1. # pacman -Syu "nodejs>=4.1.2-1" The problem has been fixed upstream in version 4.1.2. Workaround ========== None. Description =========== A vulnerability has been discovered in the HTTP pipeline handling that is leading to an application crash. This problem is caused by out-of-order responses being sent to the client within a single pipelined connection. Impact ====== A remote attacker is able to crash the process when out-of-order responses are sent within a single pipelined connection resulting in denial of service. References ========== https://github.com/nodejs/node/issues/3138 https://access.redhat.com/security/cve/CVE-2015-7384 https://nodejs.org/en/blog/release/v4.1.2/
participants (1)
-
Levente Polyak