Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sec: upcoming security announcement #1496

Closed
wants to merge 6 commits into from
Closed

Conversation

mhdawson
Copy link
Member

@mhdawson mhdawson commented Dec 4, 2017

No description provided.

@mhdawson
Copy link
Member Author

mhdawson commented Dec 4, 2017

@nodejs/website please review, would like to publish within the next hour (Although I'm in a meeting 3-4 so it may be 4 before I get back to it, so feel free to land if it looks ok)

Copy link
Contributor

@MylesBorins MylesBorins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@MylesBorins
Copy link
Contributor

Should we also update the main header?

Copy link
Contributor

@maclover7 maclover7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one quick nit

---
date: 2017-12-04T19:30:00.617Z
category: vulnerability
title: Data Confidentiality/Integrity Vulnerability, September 2017
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

December 2017

@mhdawson
Copy link
Member Author

mhdawson commented Dec 4, 2017

@maclover7 thanks, good catch. Updated.

@mhdawson
Copy link
Member Author

mhdawson commented Dec 4, 2017

@MylesBorins we should probably define our policy on that. If we should do it as part of the announce and release I'll update the instructions to reflect that.


# Data Confidentiality/Integrity Vulnerability

All versions of 4.x, 6.x, 8.x and 9.x are vulnerable to an issue to be fixed in the forthcoming OpenSSL-1.0.2n released on Dec 7 see https://mta.openssl.org/pipermail/openssl-announce/2017-December/000108.html for more details. The severity of this vulnerability of Node.js is HIGH (due to the way Node.js uses the OpenSSL APIs) and users of the affected versions should plan to upgrade when a fix is made available.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: add a comma after Dec 7?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

@lpinca
Copy link
Member

lpinca commented Dec 4, 2017

@mhdawson I'd also update the banner

content: 'Important <a href="https://nodejs.org/en/blog/vulnerability/oct-2017-dos/">DOS security vulnerability</a>, Release coming Tuesday October 24th'

@MylesBorins
Copy link
Contributor

@mhdawson afaik we've updated the banner on all previous sec announcements. @lpinca graciously pointed out where to do this above

@mhdawson
Copy link
Member Author

mhdawson commented Dec 4, 2017

Also added to banner.

mhdawson added a commit that referenced this pull request Dec 4, 2017
PR-URL: #1496
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
@mhdawson
Copy link
Member Author

mhdawson commented Dec 4, 2017

Landed as e552ce4

@Trott
Copy link
Member

Trott commented Dec 4, 2017

Oops, I was a few minutes too late. Oh, well, they were very small nits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants