The Nodesource Blog

#shoptalk Subscribe

Node.js v4.3.2 Release Brief

Overview

v4.3.2 contains only one commit, an upgrade to OpenSSL 1.0.2g (up from 1.0.2h).

This is a low-impact security release, as we do not believe the issues from OpenSSL, as outlined below, are readily exploitable in Node.js.

Notably, CVE-2016-0800 (known as the _DROWN Attack_) does not effect Node.js v4 or v5, as we build without any support for SSLv2/3.

Notable Changes

  • openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) #5507
    • Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at CVE-2016-0705.
    • Fix a defect that can cause memory corruption in certain very rare cases relating to the internal BN_hex2bn() and BN_dec2bn() functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are unlikely to be possible. More info is available at CVE-2016-0797.
    • Fix a defect that makes the CacheBleed Attack possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at CVE-2016-0702.

Commit Summary & Diffstat

commit c133797d09256ca028162647b19f7c1fa333ab66
Author: Ben Noordhuis <info@bnoordhuis.nl>
Date:   Tue Mar 1 14:03:58 2016 +0100

    deps: upgrade openssl to 1.0.2g

    PR-URL: https://github.com/nodejs/node/pull/5507
    Reviewed-By: Fedor Indutny <fedor@indutny.com>

   7.5% deps/openssl/asm/x64-elf-gas/aes/
   5.1% deps/openssl/asm/x64-elf-gas/bn/
  20.5% deps/openssl/asm/x64-elf-gas/sha/
   3.2% deps/openssl/asm/x64-elf-gas/
   7.4% deps/openssl/asm/x64-macosx-gas/aes/
   5.1% deps/openssl/asm/x64-macosx-gas/bn/
  20.4% deps/openssl/asm/x64-macosx-gas/sha/
   3.2% deps/openssl/asm/x64-macosx-gas/
   3.7% deps/openssl/asm/x86-elf-gas/sha/
   3.6% deps/openssl/asm/x86-macosx-gas/sha/
   3.6% deps/openssl/asm/x86-win32-masm/sha/
   5.9% deps/openssl/asm_obsolete/
   3.2% deps/openssl/openssl/crypto/bn/
   4.1% deps/openssl/openssl/
 173 files changed, 9866 insertions(+), 76198 deletions(-)

Do note that while we assess the security issues as being low-impact to Node.js, we still suggest you upgrade so as to avoid anything unforeseen.