Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sec: upcoming security announcement #1496

Closed
wants to merge 6 commits into from
Closed

sec: upcoming security announcement #1496

wants to merge 6 commits into from

Conversation

mhdawson
Copy link
Member

@mhdawson mhdawson commented Dec 4, 2017

No description provided.

@mhdawson
Copy link
Member Author

mhdawson commented Dec 4, 2017

@nodejs/website please review, would like to publish within the next hour (Although I'm in a meeting 3-4 so it may be 4 before I get back to it, so feel free to land if it looks ok)

MylesBorins
MylesBorins approved these changes Dec 4, 2017
View reviewed changes
Copy link
Contributor

@MylesBorins MylesBorins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@MylesBorins
Copy link
Contributor

Should we also update the main header?

maclover7
maclover7 reviewed Dec 4, 2017
View reviewed changes
Copy link
Contributor

@maclover7 maclover7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one quick nit

locale/en/blog/vulnerability/december-2017-security-releases.md Outdated
---
date: 2017-12-04T19:30:00.617Z
category: vulnerability
title: Data Confidentiality/Integrity Vulnerability, September 2017
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

December 2017

@mhdawson
Copy link
Member Author

mhdawson commented Dec 4, 2017

@maclover7 thanks, good catch. Updated.

@mhdawson
Copy link
Member Author

mhdawson commented Dec 4, 2017

@MylesBorins we should probably define our policy on that. If we should do it as part of the announce and release I'll update the instructions to reflect that.

lpinca
lpinca approved these changes Dec 4, 2017
View reviewed changes
locale/en/blog/vulnerability/december-2017-security-releases.md Outdated

# Data Confidentiality/Integrity Vulnerability

All versions of 4.x, 6.x, 8.x and 9.x are vulnerable to an issue to be fixed in the forthcoming OpenSSL-1.0.2n released on Dec 7 see https://mta.openssl.org/pipermail/openssl-announce/2017-December/000108.html for more details. The severity of this vulnerability of Node.js is HIGH (due to the way Node.js uses the OpenSSL APIs) and users of the affected versions should plan to upgrade when a fix is made available.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: add a comma after Dec 7?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

@lpinca
Copy link
Member

lpinca commented Dec 4, 2017
edited
Loading

@mhdawson I'd also update the banner

nodejs.org/build.js

Line 284 in 178a3c6

content: 'Important <a href="https://nodejs.org/en/blog/vulnerability/oct-2017-dos/">DOS security vulnerability</a>, Release coming Tuesday October 24th'

@MylesBorins
Copy link
Contributor

@mhdawson afaik we've updated the banner on all previous sec announcements. @lpinca graciously pointed out where to do this above

@mhdawson
Copy link
Member Author

mhdawson commented Dec 4, 2017

Also added to banner.

mhdawson added a commit that referenced this pull request Dec 4, 2017
@mhdawson
sec: upcoming security announcement
e552ce4 
PR-URL: #1496
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Evan Lucas <[email protected]>
@mhdawson
Copy link
Member Author

mhdawson commented Dec 4, 2017

Landed as e552ce4

@Trott
Copy link
Member

Trott commented Dec 4, 2017

Oops, I was a few minutes too late. Oh, well, they were very small nits.

@Trott Trott closed this Dec 4, 2017
@Riveoxx Riveoxx mentioned this pull request Aug 1, 2022
Open
@ryan-ally ryan-ally mentioned this pull request Aug 1, 2022
Merged
@MarcelRaschke MarcelRaschke mentioned this pull request Aug 19, 2022
Open
@snyk-bot snyk-bot mentioned this pull request Mar 21, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maclover7 maclover7 maclover7 left review comments

@pierreneter pierreneter pierreneter approved these changes

@chris--young chris--young chris--young approved these changes

@jseijas jseijas jseijas approved these changes

@cjihrig cjihrig cjihrig approved these changes

@lpinca lpinca lpinca approved these changes

@evanlucas evanlucas evanlucas approved these changes

@MylesBorins MylesBorins MylesBorins approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@mhdawson @MylesBorins @lpinca @Trott @evanlucas @cjihrig @maclover7 @jseijas @chris--young @pierreneter