New releases of the node.js packages have been added to the 2014Q4 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice:
If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command:
pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-0.12.9.tgz pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-4.2.3.tgz
You can visit the Node.js website for more information about these vulnerabilities, and the specific releases that have been identified as vulnerable.
Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:
- Debian: CVE-2015-8027 and CVE-2015-6764
- Centos/Red Hat/Fedora: CVE-2015-8027 and CVE-2015-6764
- Ubuntu: CVE-2015-8027 and CVE-2015-6764
This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified Node.js security vulnerabilities CVE-2015-8027 and CVE-2015-6764. In the next coming days, Joyent will pro-actively update this notice confirming actions taken by Joyent, as well as provide specific details on any required actions that will need to be taken by both JPC and SDC customers.
For now, you can visit this Node.js website to obtain additional details. Again, we will update this notice with more information within the next several days, specific to actions that may be required by all JPC and SDC customers. Your attention to this matter is appreciated.