Updates are now available for all active Node.js release lines as
well as the 7.x line. These include the fix for the high severity
vulnerability identified in the initial announcement, one additional
lower priority Node.js vulnerability in the 4.x release line, as well
as some lower priority fixes for Node.js dependencies across the
current release lines.
Constant Hashtable Seeds (CVE pending)
Node.js was susceptible to hash flooding remote DoS attacks as the
HashTable seed was constant across a given released version of
Node.js. This was a result of building with V8 snapshots enabled by
default which caused the initially randomized seed to be overwritten
on startup. Thanks to Jann Horn of Google Project Zero for reporting
this vulnerability.
This is a high severity vulnerability and applies to all active
release lines (4.x, 6.x, 8.x) as well as the 7.x line.
http.get with numeric authorization options creates uninitialized
buffers
Application code that allows the auth field of the options object
used with http.get() to be set to a number can result in an
uninitialized buffer being created/used as the authentication
string.
This is a low severity defect and only applies to the 4.x release
line.