Closed Bug 1237810 Opened 9 years ago Closed 9 years ago

Verify Persona exposure to NodeJS memory disclosure vuln

Categories

(Cloud Services :: Server: Identity, defect)

Product:
Cloud Services
Component:
Server: Identity
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: jvehent, Assigned: rfkelly)

Details

NodeJS released a patch for a memory disclosure vulnerability in the websocket code. Persona uses NodeJS and should patch if exposed. https://nodesecurity.io/advisories/67
I can't find any use of websockets in persona or its related bridges, looks like it's not affected.
Would it be possible to redeploy with the latest NodeJS in the next couple weeks anyway, to stay up to date, or is that going to break tons of code? Removing the sec flag. Please wontfix is we can't upgrade.
Group: websites-security
I'm pretty sure persona doesn't work with latest node, and hasn't received compatibility updates to run with anything newer than node 0.8 (!). I recall trying to build it with a newer node while working on Bug 1208480 and I was not successful. Perhaps we should do a broader audit to check that this situation is tenable for the future, but let's do it in a separate confidential bug.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.