Node.dll insecure version #659

JorisVanEijden · 2018-02-01T07:40:56Z

My Setup

Windows version comes with node.dll v7.9.0 which has a security issue (https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/)
Fixed version is 7.10.1

Node version with known security vulnerabilities used.

Node version with no known security vulnerabilities used.

I am not personally aware of specific ways to abuse this vulnerability. I just get alerts from our security software when users install Rocket.Chat.

gdelavald · 2018-02-01T13:15:32Z

Thanks @JorisVanEijden I'll check the necessary updates to fix this.

engelgabriel · 2018-02-05T14:52:49Z

@JorisVanEijden can you try the version 2.10.3?

JorisVanEijden · 2018-02-06T07:20:41Z

2.10.3 ships with 7.9.0 too.
2.10.4 contains node 8.2.1 which is 3 security releases behind:

Again, I have no idea if any of these are actually exploitable in Rocket.Chat.

engelgabriel · 2018-02-07T16:54:16Z

@JorisVanEijden please try version 2.10.5

JorisVanEijden · 2018-02-09T07:03:12Z

2.10.5 also has node 8.2.1

tassoevan added type: urgent subj: security labels Nov 19, 2018

tassoevan modified the milestones: 2.15.0, 2.14.5 Nov 19, 2018

tassoevan mentioned this issue Dec 9, 2018

[BREAK] Update dependencies #1036

Merged

tassoevan closed this as completed in #1036 Dec 9, 2018