Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

Node.js announces security updates for all their active release lines for August 2018

Save for later
  • 3 min read
  • 13 Aug 2018

article-image

The Node.js team have announced new updates about their August 2018 releases. Per their blog, new versions for each of their supported lines will be released on, or shortly after, the 15th of August, 2018.

These releases will address flaws of low severity mostly incorporating a number of security fixes and an upgraded version of OpenSSL. However, the Node.js 10 Current release will not be limited to only security-related updates, as per policy for non-LTS release lines.

The releases will also include disclosure of details of the flaws addressed, allowing users to assess the severity of the impact on their own applications.

Upgrades to OpenSSL


There are two new upgrades to OpenSSL. OpenSSL 1.1.0i and 1.0.2p will be made available on the 14th of August, 2018. These releases will cover three low severity security fixes. Out of these three, two releases are relevant to Node.js users.

  • Client DoS due to large DH parameter: During key agreement in a TLS handshake using a DH(E) based ciphersuite, a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key, resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.
  • ECDSA key extraction via local side-channel: The OpenSSL RSA Key generation algorithm is vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.


All versions of Node.js 6.x (LTS "Boron") and 8.x (LTS "Carbon") are impacted via OpenSSL 1.0.2. OpenSSL 1.1.0 impacts all versions of Node.js 10.x (Current). All OpenSSL fixes are available on the OpenSSL git repository.

Security inclusions in Node.js


Apart from OpenSSL upgrades, the August 2018 upgrades also feature security inclusions:

  • Unintentional exposure of uninitialized memory
  • Unlock access to the largest independent learning library in Tech for FREE!
    Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
    Renews at €18.99/month. Cancel anytime
  • Out of bounds (OOB) write


All actively supported release lines of Node.js are impacted by these flaws.

Additional inclusions


In addition to OpenSSL and security upgrades, the following items are also included for LTS release lines:

  • In inspector the bind address is changed from 0.0.0.0 to 127.0.0.1 so that the bind address can be overridden by the user. This upgrade impacts Node.js 6.x (LTS "Boron") only.
  • In test, keys/Makefile, are updated to clean and build all. This upgrade impacts the test suite for all actively supported release lines of Node.js.


The announcement can be read at the Node.js Blog. You can also have a look at the current security policy.

Node 10.0.0 released, packed with exciting new features

Deploying Node apps on Google App Engine is now easy

How is Node.js Changing Web Development?