OpenSSL security releases do not require Node.js security releases

September 12th, 2019

Summary The OpenSSL Security releases of September 10th, 2019 do not affect Node.js. Analysis Our assessment of the security advisory is: ECDSA remote timing attack (CVE-2019-1547) Not affected. Node supports only named curves for ECDSA signing. Fork Protection (CVE-2019-1549) Not affected. Node.js always call exec() after fork() so will not duplicate the PRNG state in…

OpenSSL security releases may require Node.js security releases

September 5th, 2019

Summary The Node.js project may be releasing new versions across all of its supported release lines early next week to incorporate upstream patches from OpenSSL. Please read on for full details. OpenSSL The OpenSSL project announced this week that they will be releasing versions 1.0.2t and 1.1.1d on the 10th of September, UTC. The releases…

August 2019 Security Releases

August 13th, 2019

Summary The Node.js project will release new versions of all supported release lines on, or shortly after, Thursday, August 15th, 2019 UTC. These releases will incorporate security fixes to HTTP/2 Denial of Service vulnerabilities in Node.js, the highest severity of which is HIGH. The Denial of Service vulnerabilities to be fixed are common to a…