From 6df09b4e49333508d18479ecbcd9aa9f23476be6 Mon Sep 17 00:00:00 2001 From: Rich Trott Date: Thu, 25 Oct 2018 12:13:10 -0700 Subject: [PATCH] doc: simplify valid security issue descriptions PR-URL: https://github.com/nodejs/node/pull/23881 Reviewed-By: James M Snell Reviewed-By: Luigi Pinca --- README.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a8dc9a1453098a..1185f5b4ba500b 100644 --- a/README.md +++ b/README.md @@ -182,9 +182,8 @@ nonetheless. ### Private disclosure preferred - [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/): - _Fix invalid wildcard certificate validation check_. This is a high severity - defect that would allow a malicious TLS server to serve an invalid wildcard - certificate for its hostname and be improperly validated by a Node.js client. + _Fix invalid wildcard certificate validation check_. This was a high-severity + defect. It caused Node.js TLS clients to accept invalid wildcard certificates. - [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities @@ -192,8 +191,8 @@ nonetheless. - [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/): _Fix defects in HTTP header parsing for requests and responses that can allow - response splitting_. While the impact of this vulnerability is application and - network dependent, it is remotely exploitable in the HTTP protocol. + response splitting_. This was a remotely-exploitable defect in the Node.js + HTTP implementation. When in doubt, please do send us a report.