78 matches found
August 2019 Security Releases
August 2019 Security Releases Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Updates are now available for all...
February 2019 Security Releases
February 2019 Security Releases Update 28-February-2018 Security releases available Summary Updates are now available for all active Node.js release lines. In addition to fixes for security flaws in Node.js, they also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2r which contains a fix for ...
November 2018 Security Releases
November 2018 Security Releases Update 27-November-2018 Security releases available Summary Updates are now available for all active Node.js release lines. These include fixes for the vulnerabilities identified in the initial announcement below. They also include upgrades of Node.js 6 and 8 to...
August 2018 Security Releases
August 2018 Security Releases Update 16-August-2018 Security releases available Summary Updates are now available for all active Node.js release lines. These include upgrades for OpenSSL and fixes for the vulnerabilities identified in the initial announcement below. We recommend that all users...
June 2018 Security Releases
June 2018 Security Releases Update 12-June-2018 Security releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerabilities identified in the initial announcement below. We recommend that all users upgrade as soon as possible...
March 2018 Security Releases
March 2018 Security Releases Update 28-March-2018 Security releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerabilities identified in the initial announcement below. In addition to the vulnerabilities in the initial...
Meltdown and Spectre - Impact On Node.js
Meltdown and Spectre - Impact On Node.js Summary Project zero has recently announced some new attacks that have received a lot of attention: https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html. The risk from these attacks to systems running Node.js resides in th...
Data Confidentiality/Integrity Vulnerability, December 2017
Data Confidentiality/Integrity Vulnerability, December 2017 Update 7-December-2017 Security releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement. In addition the updates for 8....
OpenSSL update, 1.0.2m
OpenSSL update, 1.0.2m Update 8-Nov-2017 Node.js Releases Releases were made available for active lines yesterday, each including the OpenSSL 1.0.2m update. As we have not categorized these strictly as security releases they also contain other minor fixes and additions as per our regular release...
DOS security vulnerability, October 2017
DOS security vulnerability, October 2017 Update 24-October-2017 Releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement. We recommend that all users upgrade as soon as possible...
Path validation vulnerability, September 2017
Path validation vulnerability, September 2017 Path Validation Vulnerability Updated 29-September-2017 - CVE assigned The Node.js project released a new version of 8.x this week which incorporates a security fix. Impact Version 8.5.0 of Node.js is vulnerable. 4.x and 6.x versions are NOT vulnerabl...
Security updates for all active release lines, July 2017
Security updates for all active release lines, July 2017 Update 10-August-2017 Snapshots Re-enabled on 8.3.0 The vulnerability has been patched upstream and snapshots have been re-enabled in 8.3.0 Expect a backport and update with the next release of 6.x Download Node.js v8 Current Update...
OpenSSL update, 1.0.2k
OpenSSL update, 1.0.2k Update 1-February-2017 Releases available Updates are now available for all active Node.js release lines. The following releases are bundled with OpenSSL 1.0.2k: Node.js 7.5.0 Current Node.js 6.9.5 LTS "Boron" Node.js 4.7.3 LTS "Argon" While this is not a critical update, a...
October security releases and v6 LTS "Boron" security inclusions
October security releases and v6 LTS "Boron" security inclusions Update 18-October-2016 Releases available Updates are now available for all active Node.js release lines. The following releases all contain fixes for CVE-2016-5180 "arescreatequery single byte out of buffer write": Node.js v0.10.48...
Security updates for all active release lines, September 2016
Security updates for all active release lines, September 2016 Update 27-September-2016 Releases available Updates are now available for all active Node.js release lines. These include the recently published versions of OpenSSL 1.0.1 and 1.0.2 as well as fixes for some Node.js-specific...
Security updates for all active release lines, June 2016
Security updates for all active release lines, June 2016 Update 23-June-2016 Releases available After a thorough assessment of the fixes we were planning on including, we have decided to scale back this security update to only include a subset. We are deferring some fixes while we improve the...
OpenSSL updates, 1.0.1t and 1.0.2h
OpenSSL updates, 1.0.1t and 1.0.2h Update 6-May-2016 New Node.js Releases The following releases have been made available to include the security updates to OpenSSL discussed in the post below. Please upgrade your Node.js installation as soon as possible in order to be protected against the...
npm security updates v2.15.1 and v3.8.3
npm security updates v2.15.1 and v3.8.3 This announcement is also covered on the npm blog:http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability. The primary npm registry has, since late 2014, used HTTP bearer tokens to authenticate requests from the npm command-line interfac...
OpenSSL updates, 1.0.2g and 1.0.1s
OpenSSL updates, 1.0.2g and 1.0.1s Updates to this post, including a schedule change are included below The OpenSSL project has announced that they will be releasing versions 1.0.2g and 1.0.1s this week, on Tuesday the 1st of March, UTC. The releases will fix "several defects" that are labelled a...
February 2016 Security Release Summary
February 2016 Security Release Summary Two weeks ago we announced the planned release of updates to all active release lines, v0.10, v0.12, v4 and v5, to fix HTTP related vulnerabilities and to upgrade the bundled versions of OpenSSL. Upon release of the OpenSSL updates we posted an impact...
OpenSSL upgrade low-severity Node.js security fixes
OpenSSL upgrade low-severity Node.js security fixes Updates to this post, including a schedule change are included below Summary The Node.js project will be releasing new versions across all of its active release lines early next week possibly sooner, pending full impact assessment to incorporate...
December Security Release Summary
December Security Release Summary Last week we announced the planned release of patch updates to the v0.12.x, v4.x and v5.x lines to fix two vulnerabilities. That was further amended by the announcement of OpenSSL updates with fixes for vulnerabilities labelled medium severity. The OpenSSL update...
December Security Release Schedule Update
December Security Release Schedule Update The OpenSSL project announced today that they will be releasing security updates for versions 1.0.2, 1.0.1, 1.0.0 and 0.9.8 on the 3rd of December UTC. The updates will fix a number of security defects, the highest of which is classified as "moderate"...
CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability
CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability This announcement is for: CVE-2015-8027: a high-impact denial of service vulnerability CVE-2015-6764: a low-impact V8 out-of-bounds access vulnerability CVE-2015-8027 Denial of Service Vulnerabilit...
V8 Memory Corruption and Stack Overflow (fixed in Node v0.8.28 and v0.10.30)
V8 Memory Corruption and Stack Overflow fixed in Node v0.8.28 and v0.10.30 A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may...
OpenSSL and Breaking UTF-8 Change (fixed in Node v0.8.27 and v0.10.29)
OpenSSL and Breaking UTF-8 Change fixed in Node v0.8.27 and v0.10.29 Today we are releasing new versions of Node: node-v0.8.27 node-v0.10.29 First and foremost these releases address the current OpenSSL vulnerability CVE-2014-0224, for both 0.8 and 0.10 we've upgraded the version of the bundled...
DoS Vulnerability (fixed in Node v0.8.26 and v0.10.21)
DoS Vulnerability fixed in Node v0.8.26 and v0.10.21 Node.js is vulnerable to a denial of service attack when a client sends many pipelined HTTP requests on a single connection, and the client does not read the responses from the connection. We recommend that anyone using Node.js v0.8 or v0.10 to...
HTTP Server Security Vulnerability: Please upgrade to 0.6.17
HTTP Server Security Vulnerability: Please upgrade to 0.6.17 tl;dr A carefully crafted attack request can cause the contents of the HTTP parser's buffer to be appended to the attacking request's header, making it appear to come from the attacker. Since it is generally safe to echo back contents o...