CVE-2017-11499

NameCVE-2017-11499
DescriptionNode.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs868162

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)jessie0.10.29~dfsg-2vulnerable
stretch4.8.2~dfsg-1vulnerable
buster4.8.4~dfsg-1fixed
sid8.9.3~dfsg-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssource(unstable)4.8.4~dfsg-1unimportant868162

Notes

https://nodejs.org/en/blog/release/v6.11.1/
https://nodejs.org/en/blog/release/v4.8.4/

Search for package or bug name: Reporting problems