77 matches found
OpenSSL update assessment, and Node.js project plans
OpenSSL update assessment, and Node.js project plans By Rafael Gonzaga, Jun 21, 2022 Summary The vulnerabilities in the OpenSSL Security releases of Jun 21 2022 do not affect any active Node.js release lines. Analysis Our assessment of the security advisory is: The crehash script allows command...
Monday, July 8, 2024 Security Releases
Monday, July 8, 2024 Security Releases Security releases available Updates are now available for the 22.x, 20.x, 18.x Node.js release lines for the following issues. Bypass incomplete fix of CVE-2024-27980 CVE-2024-36138 - High The CVE-2024-27980 was identified as an incomplete fix for the...
Nov 3 2022 Security Releases
Nov 3 2022 Security Releases Update 04-November-2022 Security releases available Updates are now available for v14,x, v16.x, v18.x and v19.x Node.js release lines for the following issues. X.509 Email Address 4-byte Buffer Overflow High CVE-2022-3602 A buffer overrun can be triggered in X.509...
OpenSSL and zlib update assessment, and Node.js Assessment workflow
OpenSSL and zlib update assessment, and Node.js Assessment workflow Summary The vulnerability in the OpenSSL Security release of Oct 11 2022 does not affect any active Node.js release lines, as well as the zlib vulnerability CVE-2022-37434 patched on the zlib Security release of Oct 13 2022, does...
August 2019 Security Releases
August 2019 Security Releases Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Updates are now available for all...
August 31 2021 Security Releases
August 31 2021 Security Releases Update 6-Dec-2021 Security releases available Updates are now available for v14.x, and v12.x Node.js release lines for the following issues. npm 6 update - node-tar There are vulnerabilities in the node-tar which are related to the initial reports and subsequent...
OpenSSL and Breaking UTF-8 Change (fixed in Node v0.8.27 and v0.10.29)
OpenSSL and Breaking UTF-8 Change fixed in Node v0.8.27 and v0.10.29 Today we are releasing new versions of Node: node-v0.8.27 node-v0.10.29 First and foremost these releases address the current OpenSSL vulnerability CVE-2014-0224, for both 0.8 and 0.10 we've upgraded the version of the bundled...
June 2018 Security Releases
June 2018 Security Releases Update 12-June-2018 Security releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerabilities identified in the initial announcement below. We recommend that all users upgrade as soon as possible...
February 2021 Security Releases
February 2021 Security Releases Update 23-Feb-2021 Security releases available Updates are now available for v10.x, v12.x, v14.x and v15.x Node.js release lines for the following issues. HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion Critical CVE-2021-22883 Affected Node.j...
Friday October 13 2023 Security Releases
Friday October 13 2023 Security Releases Update 13-October-2023 Security releases available Updates are now available for the v18.x and v20.x Node.js release lines for the following issues. undici - Cookie headers are not cleared in cross-domain redirect in undici-fetch Low - CVE-2023-45143 Undic...
Thursday February 16 2023 Security Releases
Thursday February 16 2023 Security Releases Update 16-February-2023 Security releases available Updates are now available for the v19.x, v18.x, v16.x, and v14.x Node.js release lines for the following issues. OpenSSL Security updates This security release includes OpenSSL security updates as...
July 7th 2022 Security Releases
July 7th 2022 Security Releases Update 07-July-2022 Security releases available Updates are now available for the v18.x, v16.x, and v14.x Node.js release lines for the following issues. HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding MediumCVE-2022-32213 The llhttp parser in the http...
OpenSSL update, 1.0.2k
OpenSSL update, 1.0.2k Update 1-February-2017 Releases available Updates are now available for all active Node.js release lines. The following releases are bundled with OpenSSL 1.0.2k: Node.js 7.5.0 Current Node.js 6.9.5 LTS "Boron" Node.js 4.7.3 LTS "Argon" While this is not a critical update, a...
July 2021 Security Releases
July 2021 Security Releases Update 1-Jul-2021 Security releases available Updates are now available for v16.x, v14.x, and v12.x Node.js release lines for the following issues. libuv upgrade - Out of bounds read Medium CVE-2021-22918 Node.js is vulnerable to out-of-bounds read in libuv's...
September 23rd 2022 Security Releases
September 23rd 2022 Security Releases Update 26-September-2022 Security releases available Recommendation update regarding CVE-2022-35255: Roll-out and re-issue all keys generated with WebCrypto.subtle.generateKey. Re-evaluate the confidentiality of data encrypted with those keys. Update...
January 2021 Security Releases
January 2021 Security Releases Update 4-Jan-2021 Security releases available Updates are now available for v10,x, v12.x, v14.x and v15.x Node.js release lines for the following issues. In addition to the vulnerabilities listed below, these releases also include an update to npm in order to resolv...
November 2018 Security Releases
November 2018 Security Releases Update 27-November-2018 Security releases available Summary Updates are now available for all active Node.js release lines. These include fixes for the vulnerabilities identified in the initial announcement below. They also include upgrades of Node.js 6 and 8 to...
February 2016 Security Release Summary
February 2016 Security Release Summary Two weeks ago we announced the planned release of updates to all active release lines, v0.10, v0.12, v4 and v5, to fix HTTP related vulnerabilities and to upgrade the bundled versions of OpenSSL. Upon release of the OpenSSL updates we posted an impact...
OpenSSL update assessment, and Node.js project plans
OpenSSL update assessment, and Node.js project plans Summary The OpenSSL Security releases of May 3 2022 affects Node.js 17.x and 18.x but highest serverity is "Low" Analysis Our assessment of the security advisory is: The crehash script allows command injection CVE-2022-1292 Node.js doesn't use ...
OpenSSL November Security Release
OpenSSL November Security Release Summary The Node.js project may be releasing new versions across all of its supported release lines in the first week of November to incorporate upstream patches from OpenSSL. Please read on for full details. OpenSSL The OpenSSL project announced will release...
June 2020 Security Releases
June 2020 Security Releases Update 2-June-2020 Security releases available Updates are now available for all supported Node.js release lines for the following issues. TLS session reuse can lead to host certificate verification bypass High CVE-2020-8172 The 'session' event could be emitted before...
CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability
CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability This announcement is for: CVE-2015-8027: a high-impact denial of service vulnerability CVE-2015-6764: a low-impact V8 out-of-bounds access vulnerability CVE-2015-8027 Denial of Service Vulnerabilit...
DoS Vulnerability (fixed in Node v0.8.26 and v0.10.21)
DoS Vulnerability fixed in Node v0.8.26 and v0.10.21 Node.js is vulnerable to a denial of service attack when a client sends many pipelined HTTP requests on a single connection, and the client does not read the responses from the connection. We recommend that anyone using Node.js v0.8 or v0.10 to...
Tuesday June 20 2023 Security Releases
Tuesday June 20 2023 Security Releases Update 20-June-2023 Security releases available Updates are now available for all supported Node.js release lines for the following issues. OpenSSL Security updates This security release includes the following OpenSSL security updates OpenSSL security adviso...
November 2020 Security Releases
November 2020 Security Releases Update 16-Nov-2020 Security releases available Updates are now available for v12.x, v14.x and v15.x Node.js release lines for the following issues. Denial of Service through DNS request CVE-2020-8277 A Node.js application that allows an attacker to trigger a DNS...
OpenSSL 3.0.7 update assessment
OpenSSL 3.0.7 update assessment Summary The vulnerability in the OpenSSL Security Advisory of Dec 13 2022 do not affect any active Node.js release lines. Analysis Our assessment of the security advisory is: X.509 Policy Constraints Double Locking CVE-2022-3996 Node.js doesn't call OpenSSL as a...
August 2018 Security Releases
August 2018 Security Releases Update 16-August-2018 Security releases available Summary Updates are now available for all active Node.js release lines. These include upgrades for OpenSSL and fixes for the vulnerabilities identified in the initial announcement below. We recommend that all users...
OpenSSL Recent Security Patches
OpenSSL Recent Security Patches Summary For the vulnerabilities disclosed in the OpenSSL Security Advisories of: OpenSSL 3.0.11 - Tuesday 19th September 2023 OpenSSL 3.0.12 - Tuesday 24th October 2023 Node.js Windows is affected by one vulnerability rated as LOW. Therefore, these patches will be...
October 12th 2021 Security Releases
October 12th 2021 Security Releases Update 12-Oct-2021 Security releases available Updates are now available for the v16.x, v14.x, and v12.x Node.js release lines for the following issues. HTTP Request Smuggling due to spaced in headers MediumCVE-2021-22959 The http parser accepts requests with a...
August 2021 Security Releases
August 2021 Security Releases Update 11-Aug-2021 Security releases available Updates are now available for v16.x, v14.x, and v12.x Node.js release lines for the following issues. cares upgrade - Improper handling of untypical characters in domain names High CVE-2021-22931 Node.js was vulnerable t...
OpenSSL update assessment, and Node.js project plans
OpenSSL update assessment, and Node.js project plans Summary The vulnerabilities in the OpenSSL Security releases of Jun 21 2022 do not affect any active Node.js release lines. Analysis Our assessment of the security advisory is: The crehash script allows command injection CVE-2022-2068 Node.js...
February 2020 Security Releases
February 2020 Security Releases Update 6-February-2020 Security releases available Updates are now available for all active Node.js release lines for the following issues. HTTP request smuggling using malformed Transfer-Encoding header Critical CVE-2019-15605 Affected Node.js versions can be...
October security releases and v6 LTS "Boron" security inclusions
October security releases and v6 LTS "Boron" security inclusions Update 18-October-2016 Releases available Updates are now available for all active Node.js release lines. The following releases all contain fixes for CVE-2016-5180 "arescreatequery single byte out of buffer write": Node.js v0.10.48...
OpenSSL update, 1.0.2m
OpenSSL update, 1.0.2m Update 8-Nov-2017 Node.js Releases Releases were made available for active lines yesterday, each including the OpenSSL 1.0.2m update. As we have not categorized these strictly as security releases they also contain other minor fixes and additions as per our regular release...
Security updates for all active release lines, September 2016
Security updates for all active release lines, September 2016 Update 27-September-2016 Releases available Updates are now available for all active Node.js release lines. These include the recently published versions of OpenSSL 1.0.1 and 1.0.2 as well as fixes for some Node.js-specific...
V8 Memory Corruption and Stack Overflow (fixed in Node v0.8.28 and v0.10.30)
V8 Memory Corruption and Stack Overflow fixed in Node v0.8.28 and v0.10.30 A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may...
Data Confidentiality/Integrity Vulnerability, December 2017
Data Confidentiality/Integrity Vulnerability, December 2017 Update 7-December-2017 Security releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement. In addition the updates for 8....
Security updates for all active release lines, June 2016
Security updates for all active release lines, June 2016 Update 23-June-2016 Releases available After a thorough assessment of the fixes we were planning on including, we have decided to scale back this security update to only include a subset. We are deferring some fixes while we improve the...
January 10th 2022 Security Releases
January 10th 2022 Security Releases Update 10-Jan-2022 Security releases available Updates are now available for the v17.x, v16.x, v14.x, and v12.x Node.js release lines for the following issues. Improper handling of URI Subject Alternative Names MediumCVE-2021-44531 Accepting arbitrary Subject...
April 2021 Security Releases
April 2021 Security Releases Update 6-Apr-2021 Security releases available Updates are now available for v10,x, v12.x, v14.x and v15.x Node.js release lines for the following issues. OpenSSL - CA certificate check bypass with X509VFLAGX509STRICT High CVE-2021-3450 This is a vulnerability in OpenS...
December Security Release Schedule Update
December Security Release Schedule Update The OpenSSL project announced today that they will be releasing security updates for versions 1.0.2, 1.0.1, 1.0.0 and 0.9.8 on the 3rd of December UTC. The updates will fix a number of security defects, the highest of which is classified as "moderate"...
Node v18.13.0 (LTS)
Node v18.13.0 LTS By Danielle Adams, Jan 06, 2023 Notable changes Add support for externally shared js builtins By default Node.js is built so that all dependencies are bundled into the Node.js binary itself. Some Node.js distributions prefer to manage dependencies externally. There are existing...
OpenSSL security releases require Node.js security releases
OpenSSL security releases require Node.js security releases Update 18-Mar-2022 Security releases available Updates are now available for v17.x, v16.x, v14.x, and v12.x Node.js release lines to incorporate upstream patches from OpenSSL. Update to OpenSSL 3.0.2n and 1.1.1n, High CVE-2022-0778...
March 2018 Security Releases
March 2018 Security Releases Update 28-March-2018 Security releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerabilities identified in the initial announcement below. In addition to the vulnerabilities in the initial...
July 2021 Security Releases
July 2021 Security Releases Security releases available Updates are now available for v16.x, v14.x, and v12.x Node.js release lines for the following issue. We normally like to give advance notice and provide releases in which the only changes are security fixes, but since this vulnerability was...
December Security Release Summary
December Security Release Summary Last week we announced the planned release of patch updates to the v0.12.x, v4.x and v5.x lines to fix two vulnerabilities. That was further amended by the announcement of OpenSSL updates with fixes for vulnerabilities labelled medium severity. The OpenSSL update...
Wednesday August 9th 2023 Security Releases
Wednesday August 9th 2023 Security Releases Update 09-August-2023 Security releases available Updates are now available for the v16.x, v18.x, and v20.x Node.js release lines for the following issues. Permissions policies can be bypassed via Module.load HIGHCVE-2023-32002 The use of Module.load ca...
September 2020 Security Releases
September 2020 Security Releases Update 15-Sept-2020 Security releases available Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues. HTTP Request Smuggling due to CR-to-Hyphen conversion High CVE-2020-8201 Affected Node.js versions converted carria...
OpenSSL security releases do not require Node.js security releases
OpenSSL security releases do not require Node.js security releases Summary The OpenSSL Security releases of September 10th, 2019 do not affect Node.js. Analysis Our assessment of the security advisory is: ECDSA remote timing attack CVE-2019-1547 Not affected. Node supports only named curves for...
Wednesday, April 3, 2024 Security Releases
Wednesday, April 3, 2024 Security Releases Security releases available Updates are now available for the v18.x, v20.x and 21.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public vulnerabilities: llhttp version 9.2.1 on...