I'm sure they're well aware of this argument.

> Your approach makes it impossible for an honest sysadmin to quickly find a way to block the attack using a firewall, but your approach doesn't stop an attacker from building an exploit based on the public commit.

This is unfair. You're implying that sysadmins don't have access to programming resources, but that attackers do, without actually coming out and saying it.

Once it's expressed this way, it seems wrongheaded. The phrase "script kiddies" comes out of attackers doing a lot without knowing much about programming. There are many sysadmins who code, and many attackers who don't. Furthermore, I think attackers are more likely to act alone than sysadmins, who often have developers working with them whom they can ask to help.

Finally, as far as I can tell this is self-censorship. The people who created the ticket participated in the decision to hide it, or aren't loudly objecting to it. This type of "censorship" is not to be confused with more serious forms of censorship.

PoC is in codebase, it was published as a test-case for the fix.

Unfortunately that test-case passes against 0.8.25 as well. So I'm not quite convinced it can be used reliably to reproduce the problem.

Unsurprising because the new streams API, which is responsible for this bug, was introduced in node 0.10. Try with earlier 0.10 versions instead.

Well, in that case lets add confusion about affected versions to the list of things being suboptimal about this whole thing: http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/ - the same warning about the same error and they did backport the fix to 0.8: https://github.com/joyent/node/commit/653d4db71f569ddc87a0bc...

You're right, that is confusing. I'm not sure how it's exploitable in 0.8.