The NodeSource Blog

Node.js 4.7.3 Release Brief

Node.js 4.7.3 is exclusively a security release, with an update to OpenSSL 1.0.2k. While the OpenSSL team have said this is at most a moderate update, the Node.js Crypto team (Ben Noordhuis, Shigeki Ohtsu and Fedor Indutny) have determined that the impact of the OpenSSL vulnerability is low. You can learn more about the details of how they came to this conclusion on the Node.js blog.

As with all releases within major version lines, minor and patch upgrades should be drop-in replacements for previous versions.

Overview

This release contains only 7 commits, all of which are part of the upgrade to OpenSSL @ 1.0.2k.

Git Diffstats

(Showing the delta between v4.7.2 and v4.7.3, ignoring deps/npm.)

Without deps, tools, docs, benchmarks, or tests:

 src/node_version.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Deps only:

   0.2% deps/openssl/asm/x64-elf-gas/bn/
   0.2% deps/openssl/asm/x64-macosx-gas/bn/
   0.2% deps/openssl/asm/x64-win32-masm/bn/
   0.0% deps/openssl/asm_obsolete/x64-elf-gas/bn/
   0.0% deps/openssl/asm_obsolete/x64-macosx-gas/bn/
   0.0% deps/openssl/asm_obsolete/x64-win32-masm/bn/
   9.2% deps/openssl/openssl/apps/
   0.8% deps/openssl/openssl/crypto/aes/asm/
   0.6% deps/openssl/openssl/crypto/asn1/
   0.8% deps/openssl/openssl/crypto/bn/asm/
   0.7% deps/openssl/openssl/crypto/bn/
   0.1% deps/openssl/openssl/crypto/cms/
   0.0% deps/openssl/openssl/crypto/dh/
   0.0% deps/openssl/openssl/crypto/dsa/
   1.8% deps/openssl/openssl/crypto/ec/
   0.1% deps/openssl/openssl/crypto/ecdh/
   0.0% deps/openssl/openssl/crypto/err/
   5.4% deps/openssl/openssl/crypto/evp/
   0.2% deps/openssl/openssl/crypto/modes/
   0.7% deps/openssl/openssl/crypto/perlasm/
   0.7% deps/openssl/openssl/crypto/rsa/
   9.9% deps/openssl/openssl/crypto/ui/
   0.7% deps/openssl/openssl/crypto/
   0.0% deps/openssl/openssl/demos/easy_tls/
   0.7% deps/openssl/openssl/doc/apps/
   1.5% deps/openssl/openssl/doc/crypto/
   7.0% deps/openssl/openssl/doc/ssl/
   0.1% deps/openssl/openssl/engines/ccgost/
   0.9% deps/openssl/openssl/include/openssl/
  27.8% deps/openssl/openssl/ssl/
   1.2% deps/openssl/openssl/util/
  27.1% deps/openssl/openssl/
 114 files changed, 875 insertions(+), 681 deletions(-)

Docs only:

 CHANGELOG.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

Most active commit

Of the 7 commits, 6c7bdf5 was the most active:
(Excluding docs, npm, eslint, and tests.)

commit 6c7bdf58e0b793c468949b32f1706c46c8c2f1df
Author: Shigeki Ohtsu <ohtsu@ohtsu.org>
Date:   Fri Jan 27 00:48:11 2017 +0900

    deps: copy all openssl header files to include dir

    All symlink files in `deps/openssl/openssl/include/openssl/`
    are removed and replaced with real header files to avoid
    issues on Windows. Two files of opensslconf.h in crypto and
    include dir are replaced to refer config/opensslconf.h.

    PR-URL: https://github.com/nodejs/node/pull/11021
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

  99.5% deps/openssl/openssl/include/openssl/
 76 files changed, 38406 insertions(+), 265 deletions(-)

This is low-severity security release for a Node.js LTS release line. Do note that while we assess the security issues as being low-impact to Node.js, we still suggest you upgrade so as to avoid anything unforeseen.