The Node.js team have announced new updates about their August 2018 releases. Per their blog, new versions for each of their supported lines will be released on, or shortly after, the 15th of August, 2018.
These releases will address flaws of low severity mostly incorporating a number of security fixes and an upgraded version of OpenSSL. However, the Node.js 10 Current release will not be limited to only security-related updates, as per policy for non-LTS release lines.
The releases will also include disclosure of details of the flaws addressed, allowing users to assess the severity of the impact on their own applications.
Upgrades to OpenSSL
There are two new upgrades to OpenSSL. OpenSSL 1.1.0i and 1.0.2p will be made available on the 14th of August, 2018. These releases will cover three low severity security fixes. Out of these three, two releases are relevant to Node.js users.
- Client DoS due to large DH parameter: During key agreement in a TLS handshake using a DH(E) based ciphersuite, a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key, resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.
- ECDSA key extraction via local side-channel: The OpenSSL RSA Key generation algorithm is vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.
All versions of Node.js 6.x (LTS “Boron”) and 8.x (LTS “Carbon”) are impacted via OpenSSL 1.0.2. OpenSSL 1.1.0 impacts all versions of Node.js 10.x (Current). All OpenSSL fixes are available on the OpenSSL git repository.
Security inclusions in Node.js
Apart from OpenSSL upgrades, the August 2018 upgrades also feature security inclusions:
- Unintentional exposure of uninitialized memory
- Out of bounds (OOB) write
All actively supported release lines of Node.js are impacted by these flaws.
In addition to OpenSSL and security upgrades, the following items are also included for LTS release lines:
- In inspector the bind address is changed from 0.0.0.0 to 127.0.0.1 so that the bind address can be overridden by the user. This upgrade impacts Node.js 6.x (LTS “Boron”) only.
- In test, keys/Makefile, are updated to clean and build all. This upgrade impacts the test suite for all actively supported release lines of Node.js.