August 11th, 2018
The Node.js project will be releasing new versions for each of its supported release lines on, or shortly after, the 15th of August, 2018 (UTC). These releases will incorporate a number of security fixes and an upgraded version of OpenSSL.
We consider all of the flaws being addressed in these releases to be low severity. However, users should assess the severity of the impact on their own applications using the information disclosed here and the additional disclosure that will come with the releases.
The OpenSSL team have announced that OpenSSL 1.1.0i and 1.0.2p will be made available on the 14th of August, 2018. There will be three "LOW severity" security fixes in this release that have already been disclosed, and the fixes made available on the OpenSSL git repository. Two of these items are relevant to Node.js users:
- OpenSSL: Client DoS due to large DH parameter (CVE-2018-0732)
- OpenSSL: ECDSA key extraction via local side-channel (CVE not assigned)
- All versions of Node.js 6.x (LTS "Boron") are impacted via OpenSSL 1.0.2
- All versions of Node.js 8.x (LTS "Carbon") are impacted via OpenSSL 1.0.2
- All versions of Node.js 10.x (Current) are impacted via OpenSSL 1.1.0
- Unintentional exposure of uninitialized memory (CVE-2018-7166)
- Out of bounds (OOB) write (CVE-2018-12115)
All actively supported release lines of Node.js are impacted by these flaws.
We will also be including the following items in these releases for LTS release lines:
- inspector: don't bind to 0.0.0.0 by default (v6.x) #21376: impacts Node.js 6.x (LTS "Boron") only
- test: update keys/Makefile to clean and build all #19975: impacts the test suite for all actively supported release lines of Node.js
The Node.js 10 "Current" release will not be limited to only security-related updates, as per policy for non-LTS release lines.
Releases will be available at, or shortly after, the 15th of August, 2018 (UTC), along with disclosure of details of the flaws addressed in order to allow for complete impact assessment by users.
The current Node.js security policy can be found at https://nodejs.org/en/security/.
Please contact firstname.lastname@example.org if you wish to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.