Notable changes Release keys have been synchronized with the main branch. deps: upgrade npm to 6.14.11 (Darcy Clarke) #36838 Commits [ 1cc6b69557a ] – deps: upgrade npm to 6.14.11 (Darcy Clarke) #36838 [ 1aefb66528a ] – doc: update contact information for @BethGriggs (Beth Griggs) #35451 [ 108931481d8 ] – doc: Read more…
(Update 12-June-2018) Security releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerabilities identified in the initial announcement (below). We recommend that all users upgrade as soon as possible. Downloads & release details Node.js 10.4.1 (Current) Node.js 9.11.2 Node.js 8.11.3 Read more…
(Update 28-March-2018) Security releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerabilities identified in the initial announcement (below). In addition to the vulnerabilities in the initial announcement, we have also included a fix for a vulnerability in the Node.js Read more…
Summary Project zero has recently announced some new attacks that have received a lot of attention: https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html. The risk from these attacks to systems running Node.js resides in the systems in which your Node.js applications run, as opposed to the Node.js runtime itself. The trust model for Node.js assumes you Read more…
(Update 7-December-2017) Security releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement. In addition the updates for 8.X and 9.X include a fix for a low severity buffer vulnerability as describe below. We recommend Read more…
(Update 8-Nov-2017) Node.js Releases Releases were made available for active lines yesterday, each including the OpenSSL 1.0.2m update. As we have not categorized these strictly as security releases they also contain other minor fixes and additions as per our regular release procedures. While we don’t consider OpenSSL 1.0.2m a critical Read more…
(Update 24-October-2017) Releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement. We recommend that all users upgrade as soon as possible. Downloads Node.js v8 (Current) Node.js v6 (LTS “Boron”) Node.js v4 (LTS “Argon”) Node.js-specific Read more…
Path Validation Vulnerability (Updated 29-September-2017 – CVE assigned) The Node.js project released a new version of 8.x this week which incorporates a security fix. Impact Version 8.5.0 of Node.js is vulnerable. 4.x and 6.x versions are NOT vulnerable. Downloads Node.js 8 (Current) Node.js-specific security flaws Node.js version 8.5.0 included a Read more…
(Update 18-December-2019) Releases available These releases update npm to v6.13.4 to address three vulnerabilities described below. All current release lines were affected. At this time, CVEs have been requested by npm, Inc. and are pending review. See https://twitter.com/ahmadnassri/status/1205132161961123841 for more information. Global 1node_modules Binary Overwrite Versions of the npm CLI Read more…
Summary The OpenSSL Security releases of September 10th, 2019 do not affect Node.js. Analysis Our assessment of the security advisory is: ECDSA remote timing attack (CVE-2019-1547) Not affected. Node supports only named curves for ECDSA signing. Fork Protection (CVE-2019-1549) Not affected. Node.js always call 1exec() after 1fork() so will not Read more…
