January 27th, 2016(Updates to this post, including a schedule change are included below) announced this week that they will be releasing versions 1.0.2f and 1.0.1r on the 28th of January, UTC. The releases will fix two security defects that are labelled as "high" severity under their security policy, meaning they are:
... issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable.Node.js v0.10 and v0.12 both use OpenSSL v1.0.1 and Node.js v4 and v5 both use OpenSSL v1.0.2 and are normally statically compiled. Therefore, all active release lines are impacted by this update. At this stage, due to embargo, the exact nature of these defects is uncertain as well as the impact they will have on Node.js users.
|Base Score:||4.8 (Medium)|
|Attack Vector:||Network (AV:N)|
|Attack Complexity:||High (AC:H)|
|Privileges Required:||None (PR:N)|
|User Interaction:||None (UI:N)|
|Scope of Impact:||Unchanged (S:U)|
|Confidentiality Impact:||Low (C:L)|
|Integrity Impact:||Low (I:L)|
|Availability Impact:||None (A:N)|
- Versions 0.10.x of Node.js are affected.
- Versions 0.12.x of Node.js are affected.
- Versions 4.x, including LTS Argon, of Node.js are affected.
- Versions 5.x of Node.js are affected.
SSL_OP_SINGLE_DH_USEoption already and are therefore not affected by this defect. SSLv2 doesn't block disabled ciphers (CVE-2015-3197) Node.js v0.10 and v0.12 disable SSLv2 by default and are not affected unless the
--enable-ssl2command line argument is being used (not recommended). Node.js v4 and v5 do not support SSLv2. An update on DHE man-in-the-middle protection (Logjam) Previous releases of OpenSSL (since Node.js v0.10.39, v0.12.5, v4.0.0 and v5.0.0) mitigated against Logjam for TLS clients by rejecting connections from servers where Diffie-Hellman parameters were shorter than 768-bits. The new OpenSSL release, for all Node.js lines, increases this to 1024-bits. The change only impacts TLS clients connecting to servers with weak DH parameter lengths. https://groups.google.com/forum/#!forum/nodejs-sec) to be notified of any further updates.