This morning's fun news comes to us courtesy of The Register. In short, there are two vulnerabilities: the most severe one is a remotely-exploitable denial of service (DoS) bug and the other is a medium-severity out-of-bounds access vulnerability. Fixes are due out shortly.
High severity vulnerability: CVE-2015-8027, is a remotely-exploitable denial-of-service (DoS) bug that the node.js Foundation is keeping embargoed until the patch is issued. It affects all versions of v0.12.x through to v5.x, but not versions 0.10.x.
Medium severity vulnerability: CVE-2015-6764, is an out-of-bounds access vulnerability that only affects v4.x and v5.x. An attacker can trigger an out-of-bounds access and/or denial-of-service “if user-supplied JavaScript can be executed by an application”, the CVE says.
There are currently no known exploits in the wild.
See also: InfoWorld and Security Week .
Those of you who have to spend their day updating and testing have my sympathies.
(Score: 1, Insightful) by Anonymous Coward on Tuesday December 01 2015, @02:23PM
I keep hearing about it.
I just remember a big stink about dumb people refusing gender neutral language in the documentation, ultimately leading to a big split.
I still have no idea what it is, and why I should care about this exploit...
I mean... is facebook vulnerable? (yay!)
Is google vulnerable? (hm)
Is soylentnews vulnerable? (oh well)
(Score: 0) by Anonymous Coward on Tuesday December 01 2015, @02:24PM
node.js is meant to take javascript server-side and keep people living in the delusion that everything needs to be written in javascript. cause javascript.
(Score: 2) by LoRdTAW on Tuesday December 01 2015, @04:13PM
Not a proponent of js/node.js but the point of node.js was to make web development more (and I hate to use this word here, but...) homogeneous. The same language on the front end is also used on the back end. It makes sense in some ways.
(Score: 4, Funny) by JNCF on Tuesday December 01 2015, @08:50PM
the point of node.js was to make web development more (and I hate to use this word here, but...) homogeneous.
The Committee of Overused Buzzwords would like to inform you of the preffered term, isomorphic. It sounds cooler than homogeneous.
(Score: 0) by Anonymous Coward on Tuesday December 01 2015, @04:15PM
Unfortunately, JavaScript is the only langauge which runs on Android, iThings, desktop and server. And two of these are growing markets for developers.
(Score: 2, Funny) by Anonymous Coward on Tuesday December 01 2015, @05:54PM
Obligatory meme [imgur.com].
(Score: 2) by tibman on Tuesday December 01 2015, @07:29PM
You cannot avoid javascript on the front-end. Your only other option is to have no active content at all. So let's just accept that if you are making a website that javascript must be involved. Is it delusional to want to use the same libraries and models on the front-end as the back-end? How about decimal rounding that happens the same on the front as on the back (so many languages do it differently)? How about date string formats that are the same? How about mental context switches when going from your front-end language to your back? How about eliminating duplicate code because you validate on both the front and back?
I don't use node but i would not describe someone who does as delusional. That sounds like an argument from someone who hates javascript from a user perspective and not someone who has developed with it. The sheer amount of work it would save you makes node worth trying. Choose the best tool for the job! : )
SN won't survive on lurkers alone. Write comments.
(Score: 3, Touché) by The Mighty Buzzard on Tuesday December 01 2015, @07:58PM
Posting that sentence on this site was too strong for my irony meter. You owe me $19.95 plus shipping and handling for a new one.
My rights don't end where your fear begins.
(Score: 2) by tibman on Tuesday December 01 2015, @09:55PM
You should know that SN has javascript. It does some random math that 1% of the time results in an ajax call. I believe there are some other bits on other pages too. Admin pages, if i remember right. Where "normal" people can't see.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by The Mighty Buzzard on Wednesday December 02 2015, @12:01AM
Yup, there is some in the admin stuff. I'd really like to get rid of it but I can't justify the hours necessary to rewrite it all.
Should be nothing forward facing though except the comment expansion/contraction code and soon the Stripe credit card billing (it had to either use their js or we'd need the site security certified). The ajax plugin isn't enabled on any of the site installs though, so if any of it still shows up it's a bug not a feature.
My rights don't end where your fear begins.
(Score: 2) by chromas on Wednesday December 02 2015, @12:00PM
Not at all. It would be better to push for a decent language in browsers, instead, though.
Try convincing all the people who keep trying to stuff the whole of computerdom into a web browser.
:D
(Score: 2) by tibman on Wednesday December 02 2015, @02:34PM
Could you give an example so i can shoot it down : ) Because javascript is intentionally different than most languages. You'd have to design a language from the ground up.
Hah, you've got me there. Javascript must be the most abused (computer) language of all time.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by JNCF on Wednesday December 02 2015, @10:01PM
It would be better to push for a decent language in browsers, instead, though
But if you're trying to achieve the goal of isomorphism/homogeneousity using the tools available in 2015, the only way you can use a non-ECMAScript language in a browser without plugins is to compile something else to ECMAScript. Then you find yourself working in an environment that has way more relevant libraries available in ECMAScript than whatever you're compiling from, so practically speaking being able to interface with existing ECMAScript libraries is a high priority. You might find that you want to run those same libraries on the server, say if you wanted to prerender your content with a virtual dom (this is the most compelling use case I've heard for isomorphism, though others exist). If isomorphism is the goal and you're stuck in 2015, you may find yourself compiling something else to ECMAScript and running it in node. Crazy, I know.
(Score: 2) by PizzaRollPlinkett on Tuesday December 01 2015, @04:47PM
Node.js is like Frankenstein's monster driving the car Homer Simspon designed from scratch. It's an efficient, massively parallel web server platform that also runs command-line applications, and gives you all the speed of a JavaScript interpreter. It's like several good ideas were combined into one thing that is less than the sum of its parts.
(E-mail me if you want a pizza roll!)
(Score: 0) by Anonymous Coward on Tuesday December 01 2015, @05:52PM
Node.js is a project where the contributors get butthurt over an emoji [github.com].
(Score: 5, Insightful) by The Mighty Buzzard on Tuesday December 01 2015, @07:46PM
Thankfully, our code of conduct reads something like "If someone is offended by an unintentional microaggression, promptly say: Go cut yourself, emo-tard" around these parts.
My rights don't end where your fear begins.
(Score: 3, Informative) by JNCF on Tuesday December 01 2015, @08:38PM
They're also talking about deprecating a stable API to remove the word "suicide," [github.com] because it is offensive and uninclusive to remind people about suicide. Seems like most comments are in favor. They're not just talking about making an alias, they're talking an unnecessary breaking change. "Suicide" doesn't even seem like a good name for a boolean, [nodejs.org] but fuck breaking changes.
(Score: 1) by Post-Nihilist on Tuesday December 01 2015, @10:19PM
wow, it is like a parody, if South-Park was about programming it would be part of the current story arc !!
Considering the current CVEs affecting node.js they should spend more time arguing about design than terminology.
Be like us, be different, be a nihilist!!!
(Score: 0) by Anonymous Coward on Tuesday December 01 2015, @04:42PM
High severity vulnerability: CVE-2015-8027, is a remotely-exploitable denial-of-service (DoS) bug that the node.js Foundation is keeping embargoed until the patch is issued. It affects all versions of v0.12.x through to v5.x, but not versions 0.10.x.
so really, figure out what makes 0.10 different from 0.9 and 0.11 and you know the bug. So much for embargoing
(Score: 2) by JNCF on Tuesday December 01 2015, @09:12PM
I think they're just saying that 0.10.x is the earliest unaffected version, not that 0.9.x is vulnerable. I also believe that 0.12.x was an attempt to move closer to the io.js codebase before merging the two, and they jumped to 4.x after the merge. It would be interesting to know if the vulnerability is in the old io.js codebase as well.
(Score: 0) by Anonymous Coward on Tuesday December 01 2015, @11:50PM
A comment in the source code uses the word "stack" which is a horribly sexist slur against stacked broads. The bugfix changes the comment to use the word "shelf" which has no known sexual connotations.
(Score: 0) by Anonymous Coward on Wednesday December 02 2015, @04:03PM
I rested my mandingo sized penis upon the shelf of her breasts?
(Score: 4, Interesting) by darkfeline on Wednesday December 02 2015, @01:42AM
I don't think any self-respecting sysadmin would be running Node.js in the first place. If not for technical reasons:
Then at least to avoid the bullshit political reasons.
"But you shouldn't be doing those things in the first place!" If the language has it as a feature, rest assured someone is going to abuse it, and sooner or later you will have to maintain it. Just look at Perl.
Join the SDF Public Access UNIX System today!