(Update 8-Nov-2017) Node.js Releases Releases were made available for active lines yesterday, each including the OpenSSL 1.0.2m update. As we have not categorized these strictly as security releases they also contain other minor fixes and additions as per our regular release procedures. While we don’t consider OpenSSL 1.0.2m a critical Read more…
(Update 15-Sept-2020) Security releases available Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues. HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201) Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Read more…
(Update 2-June-2020) Security releases available Updates are now available for all supported Node.js release lines for the following issues. TLS session reuse can lead to host certificate verification bypass (High) (CVE-2020-8172) The ‘session’ event could be emitted before the ‘secureConnect’ event. It should not be, because the connection may fail Read more…
Update The OpenSSL project has released a description of the issue fixed in the OpenSSL 1.1.1g update. It only affects a function which is not called by Node.js (or its dependencies), and as such, does not affect Node.js. No Node.js security releases are required. For more information, see the OpenSSL Read more…
(Update 6-February-2020) Security releases available Updates are now available for all active Node.js release lines for the following issues. HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605) Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be Read more…
(Update 18-December-2019) Releases available These releases update npm to v6.13.4 to address three vulnerabilities described below. All current release lines were affected. At this time, CVEs have been requested by npm, Inc. and are pending review. See https://twitter.com/ahmadnassri/status/1205132161961123841 for more information. Global 1node_modules Binary Overwrite Versions of the npm CLI Read more…
Summary The OpenSSL Security releases of September 10th, 2019 do not affect Node.js. Analysis Our assessment of the security advisory is: ECDSA remote timing attack (CVE-2019-1547) Not affected. Node supports only named curves for ECDSA signing. Fork Protection (CVE-2019-1549) Not affected. Node.js always call 1exec() after 1fork() so will not Read more…
Summary The Node.js project may be releasing new versions across all of its supported release lines early next week to incorporate upstream patches from OpenSSL. Please read on for full details. OpenSSL The OpenSSL project announced this week that they will be releasing versions 1.0.2t and 1.1.1d on the 10th Read more…
Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Updates are now available for all active Node.js release lines, including Linux ARMv6 builds for Node.js 8.x (which had been delayed). We recommend that all Node.js users Read more…
(Update 28-February-2018) Security releases available Summary Updates are now available for all active Node.js release lines. In addition to fixes for security flaws in Node.js, they also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2r which contains a fix for a moderate severity security vulnerability. The original announcement Read more…
