New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src: make debugger listen on 127.0.0.1 by default #8106

Merged
merged 1 commit into from Aug 23, 2016

Conversation

Projects
None yet
2 participants
@bnoordhuis
Member

bnoordhuis commented Aug 15, 2016

Commit 2272052 ("net: bind to :: TCP address by default") from
April 2014 seems to have accidentally changed the default listen
address from 127.0.0.1 to 0.0.0.0, a.k.a. the "any" address.

From a security viewpoint it's undesirable to accept debug agent
connections from anywhere so let's change that back. Users can
override the default with the --debug=<host>:<port> switch.

Fixes: #8081

CI: https://ci.nodejs.org/job/node-test-pull-request/3670/

@bnoordhuis

This comment has been minimized.

Member

bnoordhuis commented Aug 15, 2016

Fix for platforms where binding to 127.0.0.2 doesn't work: https://ci.nodejs.org/job/node-test-pull-request/3671/

@jasnell

This comment has been minimized.

Member

jasnell commented Aug 15, 2016

@indutny

LGTM

@bnoordhuis bnoordhuis force-pushed the bnoordhuis:fix8081 branch Aug 23, 2016

@bnoordhuis

This comment has been minimized.

Member

bnoordhuis commented Aug 23, 2016

src: make debugger listen on 127.0.0.1 by default
Commit 2272052 ("net: bind to `::` TCP address by default") from
April 2014 seems to have accidentally changed the default listen
address from 127.0.0.1 to 0.0.0.0, a.k.a. the "any" address.

From a security viewpoint it's undesirable to accept debug agent
connections from anywhere so let's change that back.  Users can
override the default with the `--debug=<host>:<port>` switch.

Fixes: #8081
PR-URL: #8106
Reviewed-By: James M Snell <jasnell@gmail.com>

@bnoordhuis bnoordhuis force-pushed the bnoordhuis:fix8081 branch to 8e7cbe2 Aug 23, 2016

@bnoordhuis bnoordhuis closed this Aug 23, 2016

@bnoordhuis bnoordhuis deleted the bnoordhuis:fix8081 branch Aug 23, 2016

@bnoordhuis bnoordhuis merged commit 8e7cbe2 into nodejs:master Aug 23, 2016

@gibfahn gibfahn referenced this pull request Jun 15, 2017

Closed

Auditing for 6.11.1 #230

2 of 3 tasks complete

rvagg added a commit that referenced this pull request Nov 28, 2018

2018-11-27, Version 6.15.0 'Boron' (LTS)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Debugger port 5858 listens on any interface by default
    (CVE-2018-12120)
  * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  * Node.js: Hostname spoofing in URL parser for javascript protocol
    (CVE-2018-12123)
  * Node.js: HTTP request splitting (CVE-2018-12116)
  * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  * OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
    (CVE-2018-5407)

Notable Changes:

* debugger: Backport of #8106 to
  prevent the debugger from listening on `0.0.0.0`. It now defaults to
  `127.0.0.1`. Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis).
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
  * Headers received by HTTP servers must not exceed 8192 bytes in total to
    prevent possible Denial of Service attacks. Reported by Trevor Norris.
    (CVE-2018-12121 / Matteo Collina)
  * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
    value can be adjusted with `server.headersTimeout`. Where headers are not
    completely received within this period, the socket is destroyed on the next
    received chunk. In conjunction with `server.setTimeout()`, this aids in
    protecting against excessive resource retention and possible Denial of
    Service. Reported by Jan Maybach (liebdich.com).
    (CVE-2018-12122 / Matteo Collina)
  * Two-byte characters are now strictly disallowed for the `path` option in
    HTTP client requests. Paths containing characters outside of the range
    `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
    can be reverted if necessary by supplying the
    `--security-revert=CVE-2018-12116` command line argument (this is not
    recommended). Reported as security concern for Node.js 6 and 8 by
    Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
    Fünfstück applied to Node.js 10 and later.
    (CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing
  URLs with `url.parse()` with the `'javascript:'` protocol. Reported by
  Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)

PR-URL: nodejs-private/node-private#153
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment