-
Notifications
You must be signed in to change notification settings - Fork 6.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PR-URL: #1496 Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Evan Lucas <[email protected]>
- Loading branch information
Showing
2 changed files
with
34 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
33 changes: 33 additions & 0 deletions
33
locale/en/blog/vulnerability/december-2017-security-releases.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| --- | ||
| date: 2017-12-04T19:30:00.617Z | ||
| category: vulnerability | ||
| title: Data Confidentiality/Integrity Vulnerability, December 2017 | ||
| slug: december-2017-security-releases | ||
| layout: blog-post.hbs | ||
| author: Michael Dawson | ||
| --- | ||
|
|
||
| # Summary | ||
| The Node.js project will be releasing new versions of 4.x, 6.x, 8.x and 9.x as soon as possible after the OpenSSL release, on or soon after December 8th UTC, to incorporate a security fix. | ||
|
|
||
| # Data Confidentiality/Integrity Vulnerability | ||
|
|
||
| All versions of 4.x, 6.x, 8.x and 9.x are vulnerable to an issue to be fixed in the forthcoming OpenSSL-1.0.2n released on Dec 7, see https://mta.openssl.org/pipermail/openssl-announce/2017-December/000108.html for more details. The severity of this vulnerability of Node.js is HIGH (due to the way Node.js uses the OpenSSL APIs) and users of the affected versions should plan to upgrade when a fix is made available. | ||
|
|
||
| # Impact | ||
|
|
||
| * Versions 4.0 and later of Node.js are vulnerable | ||
| * Versions 6.0 and later of Node.js are vulnerable | ||
| * Versions 8.0 and later of Node.js are vulnerable | ||
| * Versions 9.0 and later of Node.js are vulnerable | ||
|
|
||
| # Release timing | ||
| Releases will be available as soon as possible after the OpenSSL release, along with disclosure of the details for the vulnerability in order to allow for complete impact assessment by users. | ||
|
|
||
| # Contact and future updates | ||
|
|
||
| The current Node.js security policy can be found at https://nodejs.org/en/security/. | ||
|
|
||
| Please contact [email protected] if you wish to report a vulnerability in Node.js. | ||
|
|
||
| Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the [nodejs GitHub organisation](https://github.com/nodejs/). |