Community

node.exe

node.exe

petermat
Enthusiast Enthusiast
2,180 Views
3 Replies
Message 1 of 4

node.exe

petermat
Enthusiast
Enthusiast
‎08-26-2015 11:17 AM

Secunia PSI is telling me that the copies of node.exe installed by Fusion down in C:\Users\emad\AppData\Local\Autodesk\webdeploy\shared\Brackets\1.2.0c\WIN64\Brackets

and

C:\Users\emad\AppData\Local\Autodesk\webdeploy\production\dc51aa32319719d501b533ed310b20be48414459\Brackets

are out of date - which they are. They are 10.24 vs the current 12.7. Installing the current version does nothing to change this as the standard install goes to 

C:\Program Files\nodejs

and installs a bunch more stuff than just node.exe

 

Any advice on this situation?

0 Likes
Like
Report
Accepted solutions (1)
Solution 1
2,181 Views
3 Replies
Replies (3)
Message 2 of 4

Phil.E
Autodesk
Autodesk
‎08-27-2015 09:00 AM

We use a lot of 3rd party components and don't necessarily update them without good cause. Is there a security advisory about this version of node that you are concerned about?

 

In our next update this component will not be called until you access the functionality that uses it.

 

Please let us know your concerns about this.

 

Thanks,





Phil Eichmiller
Software Engineer
Quality Assurance
Autodesk, Inc.

0 Likes
Like
Report
Message 3 of 4

petermat
Enthusiast
Enthusiast
in reply to Phil.E
‎08-27-2015 09:35 AM

Secunia logs this as folows at 

http://secunia.com/advisories/65282/

 

Description

 

A security issue has been reported in OpenSSL, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to an error when finding an alternative certificate chain, which can be exploited to bypass certain checks on untrusted certificates and accept an otherwise invalid certificate.

The security issue is reported in versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.

 

Solution:
Update to version 1.0.2d or 1.0.1p.

Provided and/or discovered by:
The vendor credits Adam Langley and David Benjamin.

Original Advisory:
http://www.openssl.org/news/secadv_20150709.txt

Deep Links:
Links available to Secunia VIM customers

0 Likes
Like
Report
Message 4 of 4

svelez
Alumni
Alumni
in reply to petermat
‎08-27-2015 10:37 AM
Accepted solution

Hello Peter,

 

Thanks for bringing this issue to our attention.  I do not beleive that the version of node.exe delivered is used in such a way as to expose anyone to the vulnerability mentioned, but we have initiated the process for updating the component none-the-less.

 

In the meantime, it is used primarily to support the Brackets IDE that is provided for the purpose of editing javascript add-ins in neutron.   As long as this functionality isn't used, the executable should not be launched.  If you are not a programmer, avoiding Brackets shoudln't be hard.  If you are a programmer, then you can use any editor of your preference instead.

 

To make your computer more secure in spite of the fact that you won't be using the exe, feel free to delete the node.exe files found in our installation folder... or if you prefer to replace them with the node.exe you downloaded... but since we have not tested with this version, we cannot guarantee that this will work.

 

Thanks,

Steven

0 Likes
Like
Report
Report a website issue