The Node.js team have announced new updates about their August 2018 releases. Per their blog, new versions for each of their supported lines will be released on, or shortly after, the 15th of August, 2018.
These releases will address flaws of low severity mostly incorporating a number of security fixes and an upgraded version of OpenSSL. However, the Node.js 10 Current release will not be limited to only security-related updates, as per policy for non-LTS release lines.
The releases will also include disclosure of details of the flaws addressed, allowing users to assess the severity of the impact on their own applications.
Upgrades to OpenSSL
There are two new upgrades to OpenSSL. OpenSSL 1.1.0i and 1.0.2p will be made available on the 14th of August, 2018. These releases will cover three low severity security fixes. Out of these three, two releases are relevant to Node.js users.
- Client DoS due to large DH parameter: During key agreement in a TLS handshake using a DH(E) based ciphersuite, a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key, resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.
- ECDSA key extraction via local side-channel: The OpenSSL RSA Key generation algorithm is vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.
All versions of Node.js 6.x (LTS "Boron") and 8.x (LTS "Carbon") are impacted via OpenSSL 1.0.2. OpenSSL 1.1.0 impacts all versions of Node.js 10.x (Current). All OpenSSL fixes are available on the OpenSSL git repository.
Security inclusions in Node.js
Apart from OpenSSL upgrades, the August 2018 upgrades also feature security inclusions:
- Unintentional exposure of uninitialized memory
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime
- Out of bounds (OOB) write
All actively supported release lines of Node.js are impacted by these flaws.
Additional inclusions
In addition to OpenSSL and security upgrades, the following items are also included for LTS release lines:
- In inspector the bind address is changed from 0.0.0.0 to 127.0.0.1 so that the bind address can be overridden by the user. This upgrade impacts Node.js 6.x (LTS "Boron") only.
- In test, keys/Makefile, are updated to clean and build all. This upgrade impacts the test suite for all actively supported release lines of Node.js.
The announcement can be read at the Node.js Blog. You can also have a look at the current security policy.
Node 10.0.0 released, packed with exciting new features
Deploying Node apps on Google App Engine is now easy
How is Node.js Changing Web Development?
United States
United Kingdom
India
Germany
France
Canada
Russia
Spain
Brazil
Australia
Argentina
Austria
Belgium
Bulgaria
Chile
Colombia
Cyprus
Czechia
Denmark
Ecuador
Egypt
Estonia
Finland
Greece
Hungary
Indonesia
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malaysia
Malta
Mexico
Netherlands
New Zealand
Norway
Philippines
Poland
Portugal
Romania
Singapore
Slovakia
Slovenia
South Africa
South Korea
Sweden
Switzerland
Taiwan
Thailand
Turkey
Ukraine
