惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
阮一峰的网络日志
阮一峰的网络日志
S
Secure Thoughts
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Threat Research - Cisco Blogs
P
Privacy & Cybersecurity Law Blog
The Hacker News
The Hacker News
H
Heimdal Security Blog
W
WeLiveSecurity
L
LINUX DO - 热门话题
Hacker News: Ask HN
Hacker News: Ask HN
WordPress大学
WordPress大学
The Last Watchdog
The Last Watchdog
Hugging Face - Blog
Hugging Face - Blog
博客园 - 【当耐特】
D
DataBreaches.Net
I
Intezer
Webroot Blog
Webroot Blog
C
Cisco Blogs
AWS News Blog
AWS News Blog
博客园 - 聂微东
T
The Blog of Author Tim Ferriss
V
Vulnerabilities – Threatpost
罗磊的独立博客
Google DeepMind News
Google DeepMind News
N
Netflix TechBlog - Medium
Schneier on Security
Schneier on Security
宝玉的分享
宝玉的分享
博客园 - 叶小钗
PCI Perspectives
PCI Perspectives
D
Docker
Scott Helme
Scott Helme
NISL@THU
NISL@THU
J
Java Code Geeks
B
Blog RSS Feed
Google Online Security Blog
Google Online Security Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Exploit Database - CXSecurity.com
AI
AI
美团技术团队
Cloudbric
Cloudbric
月光博客
月光博客
P
Proofpoint News Feed
T
Tailwind CSS Blog
Google DeepMind News
Google DeepMind News
小众软件
小众软件
www.infosecurity-magazine.com
www.infosecurity-magazine.com
The Cloudflare Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org

Node.js Blog

Node.js — Security Bug Bounty Program Paused Due to Loss of Funding Node.js — Node.js 25.9.0 (Current) Node.js — Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8 Node.js — Node.js 25.8.2 (Current) Node.js — Node.js 24.14.1 (LTS) Node.js — Node.js 22.22.2 (LTS) Node.js — Node.js 20.20.2 (LTS) Node.js — Tuesday, March 24, 2026 Security Releases Node.js — Node.js 25.8.1 (Current) Node.js — Evolving the Node.js Release Schedule Node.js — Node.js 22.22.1 (LTS) Node.js — Node.js 20.20.1 (LTS) Node.js — Node.js 25.8.0 (Current) Node.js — Node.js 25.7.0 (Current) Node.js — Node.js 24.14.0 (LTS) Node.js — New HackerOne Signal Requirement for Vulnerability Reports Node.js — Node.js 25.6.1 (Current) Node.js — Node.js 24.13.1 (LTS) Node.js — Node.js 25.6.0 (Current) Node.js — OpenSSL Security Advisory Assessment, January 2026 Node.js — Node.js 25.5.0 (Current) Node.js — Chalk to Node.js util styleText Node.js — Node.js 25.4.0 (Current) Node.js — Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users Node.js — Node.js 22.22.0 (LTS) Node.js — Node.js 25.3.0 (Current) Node.js — Node.js 24.13.0 (LTS) Node.js — Node.js 20.20.0 (LTS) Node.js — Tuesday, January 13, 2026 Security Releases Node.js — Node.js 24.12.0 (LTS) Node.js — Node.js 20.19.6 (LTS) Node.js — Node.js 25.2.1 (Current) Node.js — Node.js 24.11.1 (LTS) Node.js — Node.js 25.2.0 (Current) Node.js — Node.js 25.1.0 (Current) Node.js — Node.js 22.21.1 (LTS) Node.js — Node.js 24.11.0 (LTS) Node.js — Node.js v22 to v24 Node.js — Node.js v20 to v22 Node.js — Node.js v14 to v16 Node.js — Node.js v12 to v14 Node.js — Node.js 22.21.0 (LTS) Node.js — Node.js 25.0.0 (Current) Node.js — Node.js 24.10.0 (Current) Node.js — Node.js 24.9.0 (Current) Node.js — Node.js 22.20.0 (LTS) Node.js — Node.js 24.8.0 (Current) Node.js — Node.js 20.19.5 (LTS) Node.js — Node.js 22.19.0 (LTS) Node.js — Node.js 24.7.0 (Current) Node.js — Node.js 24.6.0 (Current) Node.js — Node.js 22.18.0 (LTS) Node.js — Node.js 24.5.0 (Current) Node.js — Node.js 20.19.4 (LTS) Node.js — Node.js 22.17.1 (LTS) Node.js — Node.js 24.4.1 (Current) Node.js — Tuesday, July 15, 2025 Security Releases Node.js — Node.js 24.4.0 (Current) Node.js — Node.js LGBTQIA+ Stories: Emelia Smith Node.js — Open sourced identity Node.js — Node.js 22.17.0 (LTS) Node.js — Node.js 24.3.0 (Current) Node.js — Node.js 20.19.3 (LTS) Node.js — In Memory of Mikeal Rogers: A Builder of Communities Node.js — Node.js 24.2.0 (Current) Node.js — Beware of End-of-Life Node.js Versions - Upgrade or Seek Post-EOL Support Node.js — Trip report: Node.js collaboration summit (2025 Paris) Node.js — Node.js 22.16.0 (LTS) Node.js — Node.js 24.1.0 (Current) Node.js — Node.js 24.0.2 (Current) Node.js — Node.js 23.11.1 (Current) Node.js — Node.js 22.15.1 (LTS) Node.js — Node.js 20.19.2 (LTS) Node.js — Wednesday, May 14, 2025 Security Releases Node.js — Node.js 24.0.1 (Current) Node.js — Node.js 24.0.0 (Current) Node.js — Node.js Test CI Security Incident Node.js — Node.js 22.15.0 (LTS) Node.js — Node.js 20.19.1 (LTS) Node.js — Making Node.js Downloads Reliable Node.js — Node.js 23.11.0 (Current) Node.js — Node.js 23.10.0 (Current) Node.js — Node.js 20.19.0 (LTS) Node.js — Updates on CVE for End-of-Life Versions Node.js — Node.js 23.9.0 (Current) Node.js — Node.js 18.20.7 (LTS) Node.js — Node.js 20.18.3 (LTS) Node.js — Node.js 9.3.0 (Current) Node.js — Data Confidentiality/Integrity Vulnerability, December 2017 Node.js — Node.js 9.2.1 (Current) Node.js — Node.js 8.9.3 (LTS) Node.js — Node.js 4.8.7 (Maintenance) Node.js — Node.js 8.9.2 (LTS) Node.js — Node.js 6.12.1 (LTS) Node.js — Node.js 9.2.0 (Current) Node.js — Node.js 8.9.1 (LTS) Node.js — Node.js 9.1.0 (Current) Node.js — Node.js 0.10.35 (Stable) Node.js — Node.js 0.10.34 (Stable) Node.js — Node.js 0.10.29 (Stable)
Node.js — Node.js 0.10.33 (Stable)
2014-10-23 · via Node.js Blog

The Node.js Project

This release handles the recent POODLE vulnerability by disabling SSLv2/SSLv3 by default for the most predominate uses of TLS in Node.js.

It took longer than expected to get this release accomplished in a way that would provide appropriate default security settings, while minimizing the surface area for the behavior change we were introducing. It was also important that we validated that our changes were being applied in the variety of configurations we support in our APIs.

With this release, we are confident that the only behavior change is that of the default allowed protocols do not include SSLv2 or SSLv3. Though you are still able to programatically consume those protocols if necessary.

Included is the documentation that you can find at https://nodejs.org/api/tls.html#tls_protocol_support that describes how this works going forward for client and server implementations.


Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these protocols are disabled. They are considered insecure and could be easily compromised as was shown by CVE-2014-3566. However, in some situations, it may cause problems with legacy clients/servers (such as Internet Explorer 6). If you wish to enable SSLv2 or SSLv3, run node with the --enable-ssl2 or --enable-ssl3 flag respectively. In future versions of Node.js SSLv2 and SSLv3 will not be compiled in by default.

There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly specifying secureProtocol to 'SSLv3_method' or 'SSLv2_method'.

The default protocol method Node.js uses is SSLv23_method which would be more accurately named AutoNegotiate_method. This method will try and negotiate from the highest level down to whatever the client supports. To provide a secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3 and SSLv2 by setting the secureOptions to be SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2 (again, unless you have passed --enable-ssl3, or --enable-ssl2, or SSLv3_method as secureProtocol).

If you have set securityOptions to anything, we will not override your options.

The ramifications of this behavior change:

  • If your application is behaving as a secure server, clients who are SSLv3 only will now not be able to appropriately negotiate a connection and will be refused. In this case your server will emit a clientError event. The error message will include 'wrong version number'.
  • If your application is behaving as a secure client and communicating with a server that doesn't support methods more secure than SSLv3 then your connection won't be able to negotiate and will fail. In this case your client will emit a an error event. The error message will include 'wrong version number'.

2014.10.20, Version 0.10.33 (Stable)

  • openssl: Update to 1.0.1j (Addressing multiple CVEs)

  • uv: Update to v0.10.29

  • child_process: properly support optional args (cjihrig)

  • crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)

This is a behavior change, by default we will not allow the negotiation to SSLv2 or SSLv3. If you want this behavior, run Node.js with either --enable-ssl2 or --enable-ssl3 respectively.

This does not change the behavior for users specifically requesting SSLv2_method or SSLv3_method. While this behavior is not advised, it is assumed you know what you're doing since you're specifically asking to use these methods.

Source Code: https://nodejs.org/dist/v0.10.33/node-v0.10.33.tar.gz

Macintosh Installer (Universal): https://nodejs.org/dist/v0.10.33/node-v0.10.33.pkg

Windows Installer: https://nodejs.org/dist/v0.10.33/node-v0.10.33-x86.msi

Windows x64 Installer: https://nodejs.org/dist/v0.10.33/x64/node-v0.10.33-x64.msi

Windows x64 Files: https://nodejs.org/dist/v0.10.33/x64/

Linux 32-bit Binary: https://nodejs.org/dist/v0.10.33/node-v0.10.33-linux-x86.tar.gz

Linux 64-bit Binary: https://nodejs.org/dist/v0.10.33/node-v0.10.33-linux-x64.tar.gz

Solaris 32-bit Binary: https://nodejs.org/dist/v0.10.33/node-v0.10.33-sunos-x86.tar.gz

Solaris 64-bit Binary: https://nodejs.org/dist/v0.10.33/node-v0.10.33-sunos-x64.tar.gz

Other release files: https://nodejs.org/dist/v0.10.33/

Website: https://nodejs.org/docs/v0.10.33/

Documentation: https://nodejs.org/docs/v0.10.33/api/

Shasums:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

03e72005a4ed612aa7a984d840f148bfb76f3c5f  node-v0.10.33-darwin-x64.tar.gz
f40319ad8720d350ea45e56d5d9018c244482ddc  node-v0.10.33-darwin-x86.tar.gz
4eba69caf7368d7f388700eb02996f85b06f457a  node-v0.10.33-linux-x64.tar.gz
62a58b74851350a935e781d216484966b04ae097  node-v0.10.33-linux-x86.tar.gz
aea7f541e21b57a07b15ab8d825c43f04a2f7440  node-v0.10.33-sunos-x64.tar.gz
97b1d889a299afd6f0c0bb320646d92b7c498d01  node-v0.10.33-sunos-x86.tar.gz
8a637d14609208d31fe466cd4961bec58a8f8f9b  node-v0.10.33-x86.msi
81fcb80d7181768a7211a337c084b4a0b139dd74  node-v0.10.33.pkg
69aeeade5fef622c3150cfc2b4a8f70eea1ef1ec  node-v0.10.33.tar.gz
69275030a0549c27189a8f25396997deb70462ad  node.exe
13dc334420abeaab9b7b3d184e0c5126250ce4e7  node.exp
0379528f6d65eef73ceaeaf9acfe327648a9bc83  node.lib
c23021453a5331954929cff26f7a7f5131af4351  node.pdb
0fe937289a228a5bbc4fc97664eabbdc3a9792e5  openssl-cli.exe
e1cff728f900bda134973666f75aae52a2d60e86  openssl-cli.pdb
6173345fb3c8388abb2a415b99bb4962ebd8e123  x64/node-v0.10.33-x64.msi
a4142d8a122317cc2e32caa643def2797e5f2cd7  x64/node.exe
e067c6d6904a15a494b6b9f3e84cb07dc738c2ea  x64/node.exp
63567e086a965f3ae452b6caace401592cd8c0ec  x64/node.lib
e2cedfc1dd02f1d365314b162167ffb12d1cb0b1  x64/node.pdb
68d60b60f03e703184a10d0a6adff69d9302b93e  x64/openssl-cli.exe
4cd9e8bcf4fa9134a2e84473ec3d7d4b4cd31013  x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlRJUxYACgkQfTP/nQJGQG2eNwCdGAIzkYTGHFohi2PVWKIKYmmq
bvoAnAulTmcNMMLlXi1+Nmtt5SGyZIL8
=0QtW
-----END PGP SIGNATURE-----