Skip to content

Commit

Permalink
sec: upcoming security announcement
Browse files Browse the repository at this point in the history
PR-URL: #1496
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
  • Loading branch information
mhdawson committed Dec 4, 2017
1 parent 9a26517 commit e552ce4
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 1 deletion.
2 changes: 1 addition & 1 deletion build.js
Original file line number Diff line number Diff line change
Expand Up @@ -270,7 +270,7 @@ function getSource (callback) {
},
banner: {
visible: true,
content: 'Important <a href="https://nodejs.org/en/blog/vulnerability/oct-2017-dos/">security releases</a>, please update now!'
content: 'Important <a href="https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/">upcoming security releases</a>, please review'
}
}
}
Expand Down
33 changes: 33 additions & 0 deletions locale/en/blog/vulnerability/december-2017-security-releases.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
date: 2017-12-04T19:30:00.617Z
category: vulnerability
title: Data Confidentiality/Integrity Vulnerability, December 2017
slug: december-2017-security-releases
layout: blog-post.hbs
author: Michael Dawson
---

# Summary
The Node.js project will be releasing new versions of 4.x, 6.x, 8.x and 9.x as soon as possible after the OpenSSL release, on or soon after December 8th UTC, to incorporate a security fix.

# Data Confidentiality/Integrity Vulnerability

All versions of 4.x, 6.x, 8.x and 9.x are vulnerable to an issue to be fixed in the forthcoming OpenSSL-1.0.2n released on Dec 7, see https://mta.openssl.org/pipermail/openssl-announce/2017-December/000108.html for more details. The severity of this vulnerability of Node.js is HIGH (due to the way Node.js uses the OpenSSL APIs) and users of the affected versions should plan to upgrade when a fix is made available.

# Impact

* Versions 4.0 and later of Node.js are vulnerable
* Versions 6.0 and later of Node.js are vulnerable
* Versions 8.0 and later of Node.js are vulnerable
* Versions 9.0 and later of Node.js are vulnerable

# Release timing
Releases will be available as soon as possible after the OpenSSL release, along with disclosure of the details for the vulnerability in order to allow for complete impact assessment by users.

# Contact and future updates

The current Node.js security policy can be found at https://nodejs.org/en/security/.

Please contact security@nodejs.org if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the [nodejs GitHub organisation](https://github.com/nodejs/).

0 comments on commit e552ce4

Please sign in to comment.