The NodeSource Blog

Node.js 6.9.5 Release Brief

Node.js 6.9.5 is exclusively a security release, with an update to OpenSSL 1.0.2k. While the OpenSSL team have said this is at most a moderate update, the Node.js Crypto team (Ben Noordhuis, Shigeki Ohtsu and Fedor Indutny) have determined that the impact of the OpenSSL vulnerability is low. You can learn more about the details of how they came to this conclusion on the Node.js blog.

As with all releases within major version lines, minor and patch upgrades should be drop-in replacements for previous versions.

Overview

This release contains only 7 commits, all of which are part of the upgrade to OpenSSL @ 1.0.2k.

Git Diffstats

(Showing the delta between v6.9.4 and v6.9.5, ignoring deps/npm.)

Without deps, tools, docs, benchmarks, or tests:

 src/node_version.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Deps only:

   0.2% deps/openssl/asm/x64-elf-gas/bn/
   0.2% deps/openssl/asm/x64-macosx-gas/bn/
   0.2% deps/openssl/asm/x64-win32-masm/bn/
   0.0% deps/openssl/asm_obsolete/x64-elf-gas/bn/
   0.0% deps/openssl/asm_obsolete/x64-macosx-gas/bn/
   0.0% deps/openssl/asm_obsolete/x64-win32-masm/bn/
   9.2% deps/openssl/openssl/apps/
   0.8% deps/openssl/openssl/crypto/aes/asm/
   0.6% deps/openssl/openssl/crypto/asn1/
   0.8% deps/openssl/openssl/crypto/bn/asm/
   0.7% deps/openssl/openssl/crypto/bn/
   0.1% deps/openssl/openssl/crypto/cms/
   0.0% deps/openssl/openssl/crypto/dh/
   0.0% deps/openssl/openssl/crypto/dsa/
   1.8% deps/openssl/openssl/crypto/ec/
   0.1% deps/openssl/openssl/crypto/ecdh/
   0.0% deps/openssl/openssl/crypto/err/
   5.4% deps/openssl/openssl/crypto/evp/
   0.2% deps/openssl/openssl/crypto/modes/
   0.7% deps/openssl/openssl/crypto/perlasm/
   0.7% deps/openssl/openssl/crypto/rsa/
   9.9% deps/openssl/openssl/crypto/ui/
   0.7% deps/openssl/openssl/crypto/
   0.0% deps/openssl/openssl/demos/easy_tls/
   0.7% deps/openssl/openssl/doc/apps/
   1.5% deps/openssl/openssl/doc/crypto/
   7.0% deps/openssl/openssl/doc/ssl/
   0.1% deps/openssl/openssl/engines/ccgost/
   0.9% deps/openssl/openssl/include/openssl/
  27.8% deps/openssl/openssl/ssl/
   1.2% deps/openssl/openssl/util/
  27.1% deps/openssl/openssl/
 114 files changed, 875 insertions(+), 681 deletions(-)

Docs only:

 CHANGELOG.md                   |  3 ++-
 doc/changelogs/CHANGELOG_V6.md | 27 ++++++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 2 deletions(-)

Most active commit

Of the 7 commits, d623e8c was the most active:
(Excluding docs, npm, eslint, and tests.)

commit d623e8c5b9094f7cfcd9619a1a292b32873d0d8b
Author: Shigeki Ohtsu <ohtsu@ohtsu.org>
Date:   Fri Jan 27 00:48:11 2017 +0900

    deps: copy all openssl header files to include dir

    All symlink files in `deps/openssl/openssl/include/openssl/`
    are removed and replaced with real header files to avoid
    issues on Windows. Two files of opensslconf.h in crypto and
    include dir are replaced to refer config/opensslconf.h.

    PR-URL: https://github.com/nodejs/node/pull/11021
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

  99.5% deps/openssl/openssl/include/openssl/
 76 files changed, 38406 insertions(+), 265 deletions(-)

This is low-severity security release for a Node.js LTS release line. Do note that while we assess the security issues as being low-impact to Node.js, we still suggest you upgrade so as to avoid anything unforeseen.