TPS-2016-006 Node.js Vulnerabilities CVE-2016-2086 and CVE-2016-2216

How To Update Your Services

SmartOS Users

New releases of the node.js packages have been added to the 2014Q4 and 2015Q4 pkgsrc repositories. The following latest package releases address the vulnerabilities outlined in this notice:

  • nodejs-0.10.42.tgz
  • nodejs-0.12.10.tgz
  • nodejs-4.3.0.tgz
  • nodejs-5.6.0.tgz

If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):

pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/<nodejs_package>

You can visit the Node.js website for more information about these vulnerabilities, and the specific releases that have been identified as vulnerable.

Linux Users

Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:

  • Debian: CVE-2016-2086 and CVE-2016-2216
  • Centos/Red Hat/Fedora: CVE-2016-2086 and CVE-2016-2216
  • Ubuntu: CVE-2016-2086 and CVE-2016-2216

Original Notice

This notice is to advise all Joyent Public Cloud (JPC) and Triton (formerly known as SmartDataCenter, or SDC) customers of the recently-identified Node.js security vulnerabilities CVE-2016-2086 and CVE-2016-2216. In upcoming days, Joyent will proactively update this notice confirming actions that we have taken, as well as provide specific details on any required actions to be taken by both JPC and SDC customers.

For now, you can visit this Node.js website to obtain additional details. Again, we will update this notice with more information within the next several days, specific to actions that may be required by all JPC and SDC customers. Your attention to this matter is appreciated.

At any time, please do not hesitate to contact our Support team by raising a ticket at https://help.joyent.com or by email to support@joyent.com, if you have any questions or concerns.