Node.js Security Patches December 2015
Today there were releases of all maintained Node.js release lines to address a few important security vulnerabilities.
NOTICE: The releases of v0.12, v4, and v5 contain a critical DoS security fix, and we recommend that you update as soon as possible. All of the releases also contain an important OpenSSL upgrade.
We have also updated N|Solid 1.1.1 with these Node.js fixes. N|Solid 1.1.1 is avaliable at https://downloads.nodesource.com/
Vulnerability Overview
The follow are the CVE codes for the fixed vulnerabilities, along with the affected versions of Node.js. More details can be found on the official Node.js blog post.
CVE-2015-8027 Denial of Service Vulnerability
- Versions 0.10.x of Node.js are not affected.
- Versions 0.12.x of Node.js are vulnerable, please upgrade to v0.12.9 (LTS).
- Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
- Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).
CVE-2015-6764 V8 Out-of-bounds Access Vulnerability
- Versions 0.10.x of Node.js are not affected.
- Versions 0.12.x of Node.js are not affected.
- Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
- Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).
CVE-2015-3193 OpenSSL BN_mod_exp may produce incorrect results on x86_64
- Versions 0.10.x of Node.js are not affected.
- Versions 0.12.x of Node.js are not affected.
- Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
- Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).
CVE-2015-3194 OpenSSL Certificate verify crash with missing PSS parameter
- Versions 0.10.x of Node.js are vulnerable, please upgrade to v0.10.41 (Maintenance).
- Versions 0.12.x of Node.js are vulnerable, please upgrade to v0.12.9 (LTS).
- Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
- Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).
These quick patch releases will become routine though v4’s stable lifecycle, and this will also continue into future stable release lines. There is a lot more effort being put into core than in the recent past and frequent releases mean that the work being done gets into your hands quicker.
As with all security releases, we recommend you upgrade to one of the newly released versions as soon as possible.
N|Solid 1.1.1 is now available and updated to address these security concerns. Download now.