Node v0.8.17 released - fixes security vulnerability - we're urged to upgrade ASAP

By: (plus.google.com) +David Herron; Date: 2013-01-09 20:07

Tags: Node.JS

Isaac Schlueter just posted this warning .. 
This release addresses a potential security vulnerability.

If you do not use TypedArrays, then you're fine (but should still upgrade for other reasons, like better performance and npm peerDependencies.)

If you use TypedArrays, you should upgrade to v0.8.17 as soon as possible. If user input can affect the size parameter in a TypedArray, an integer overflow vulnerability could allow an attacker to write to areas of memory outside the intended buffer. Please upgrade ASAP.

2012.01.09, Version 0.8.17 (Stable)

  • npm: Upgrade to v1.2.0
    • peerDependencies (Domenic Denicola)
    • node-gyp v0.8.2 (Nathan Rajlich)
    • Faster installs from github user/project shorthands (Nathan Zadoks)
  • typed arrays: fix 32 bit size/index overflow (Ben Noordhuis)
  • http: Improve performance of single-packet responses (Ben Noordhuis)
  • install: fix openbsd man page location (Ben Noordhuis)
  • http: bubble up parser errors to ClientRequest (Brian White)