October security releases and v6 LTS “Boron” security inclusions

October 15th, 2016

Node.js v6 LTS security inclusions.

Next week, on Tuesday the 18th (late evening UTC), the Node.js Foundation will be launching its second new LTS release line, a continuation of the v6.x series of releases. This line will be codenamed “Boron” and the first version will be v6.9.0.

In addition to a change to introduce the process.release.lts property, set to 'Boron', we will also be including 3 low-severity security patches that only apply to the v6.x release series.

The security vulnerabilities being addressed are all low-severity and arise from Node.js dependencies:

  • V8
  • OpenSSL when Node.js is built in FIPS-compliant mode (not official builds)
  • v8_inspector, a new experimental debugging protocol

These patches will also be included in the new v7.x Current (non-LTS) release series which is due to be launched later this month.

  • Node.js v6 is affected
  • Node.js v4 (LTS “Argon”) is not affected
  • Node.js v0.12 (Maintenance) is not affected
  • Node.js v0.10 (Maintenance) is not affected

CVE-2016-5180 “ares_create_query single byte out of buffer write”.

A security vulnerability has been discovered in the c-ares library that is bundled with all versions of Node.js. Due to the difficulty of triggering and making use of this vulnerability we currently consider this a low-severity security flaw for Node.js users.

The patch has already been included in Node.js v6 and we will ensure that patched versions of the remaining affected versions are made available by Tuesday the 18th.

  • Node.js v6 is not affected
  • Node.js v4 (LTS “Argon”) is affected
  • Node.js v0.12 (Maintenance) is affected
  • Node.js v0.10 (Maintenance) is affected

We apologise for the short notice of these releases.