惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 三生石上(FineUI控件)
雷峰网
雷峰网
爱范儿
爱范儿
P
Proofpoint News Feed
Security Archives - TechRepublic
Security Archives - TechRepublic
Latest news
Latest news
The Hacker News
The Hacker News
Cyberwarzone
Cyberwarzone
博客园 - 【当耐特】
Project Zero
Project Zero
小众软件
小众软件
T
Tailwind CSS Blog
量子位
博客园 - 聂微东
I
Intezer
美团技术团队
S
SegmentFault 最新的问题
T
Tor Project blog
Spread Privacy
Spread Privacy
V
Vulnerabilities – Threatpost
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Jina AI
Jina AI
罗磊的独立博客
B
Blog RSS Feed
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
T
Troy Hunt's Blog
有赞技术团队
有赞技术团队
Google DeepMind News
Google DeepMind News
宝玉的分享
宝玉的分享
C
Cisco Blogs
L
LINUX DO - 热门话题
Last Week in AI
Last Week in AI
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AI
AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Microsoft Azure Blog
Microsoft Azure Blog
L
LINUX DO - 最新话题
Know Your Adversary
Know Your Adversary
GbyAI
GbyAI
Engineering at Meta
Engineering at Meta
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Recent Commits to openclaw:main
Recent Commits to openclaw:main
L
Lohrmann on Cybersecurity
The Register - Security
The Register - Security
L
LangChain Blog
博客园 - 叶小钗
T
Tenable Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC

Node.js Blog

Node.js — Security Bug Bounty Program Paused Due to Loss of Funding Node.js — Node.js 25.9.0 (Current) Node.js — Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8 Node.js — Node.js 25.8.2 (Current) Node.js — Node.js 24.14.1 (LTS) Node.js — Node.js 22.22.2 (LTS) Node.js — Node.js 20.20.2 (LTS) Node.js — Tuesday, March 24, 2026 Security Releases Node.js — Node.js 25.8.1 (Current) Node.js — Evolving the Node.js Release Schedule Node.js — Node.js 22.22.1 (LTS) Node.js — Node.js 20.20.1 (LTS) Node.js — Node.js 25.8.0 (Current) Node.js — Node.js 25.7.0 (Current) Node.js — Node.js 24.14.0 (LTS) Node.js — New HackerOne Signal Requirement for Vulnerability Reports Node.js — Node.js 25.6.1 (Current) Node.js — Node.js 24.13.1 (LTS) Node.js — Node.js 25.6.0 (Current) Node.js — OpenSSL Security Advisory Assessment, January 2026 Node.js — Node.js 25.5.0 (Current) Node.js — Chalk to Node.js util styleText Node.js — Node.js 25.4.0 (Current) Node.js — Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users Node.js — Node.js 22.22.0 (LTS) Node.js — Node.js 25.3.0 (Current) Node.js — Node.js 24.13.0 (LTS) Node.js — Node.js 20.20.0 (LTS) Node.js — Tuesday, January 13, 2026 Security Releases Node.js — Node.js 24.12.0 (LTS) Node.js — Node.js 20.19.6 (LTS) Node.js — Node.js 25.2.1 (Current) Node.js — Node.js 24.11.1 (LTS) Node.js — Node.js 25.2.0 (Current) Node.js — Node.js 25.1.0 (Current) Node.js — Node.js 22.21.1 (LTS) Node.js — Node.js 24.11.0 (LTS) Node.js — Node.js v22 to v24 Node.js — Node.js v20 to v22 Node.js — Node.js v14 to v16 Node.js — Node.js v12 to v14 Node.js — Node.js 22.21.0 (LTS) Node.js — Node.js 25.0.0 (Current) Node.js — Node.js 24.10.0 (Current) Node.js — Node.js 24.9.0 (Current) Node.js — Node.js 22.20.0 (LTS) Node.js — Node.js 24.8.0 (Current) Node.js — Node.js 20.19.5 (LTS) Node.js — Node.js 22.19.0 (LTS) Node.js — Node.js 24.7.0 (Current) Node.js — Node.js 24.6.0 (Current) Node.js — Node.js 22.18.0 (LTS) Node.js — Node.js 24.5.0 (Current) Node.js — Node.js 20.19.4 (LTS) Node.js — Node.js 22.17.1 (LTS) Node.js — Node.js 24.4.1 (Current) Node.js — Tuesday, July 15, 2025 Security Releases Node.js — Node.js 24.4.0 (Current) Node.js — Node.js LGBTQIA+ Stories: Emelia Smith Node.js — Open sourced identity Node.js — Node.js 22.17.0 (LTS) Node.js — Node.js 24.3.0 (Current) Node.js — Node.js 20.19.3 (LTS) Node.js — In Memory of Mikeal Rogers: A Builder of Communities Node.js — Node.js 24.2.0 (Current) Node.js — Beware of End-of-Life Node.js Versions - Upgrade or Seek Post-EOL Support Node.js — Trip report: Node.js collaboration summit (2025 Paris) Node.js — Node.js 22.16.0 (LTS) Node.js — Node.js 24.1.0 (Current) Node.js — Node.js 24.0.2 (Current) Node.js — Node.js 23.11.1 (Current) Node.js — Node.js 22.15.1 (LTS) Node.js — Node.js 20.19.2 (LTS) Node.js — Wednesday, May 14, 2025 Security Releases Node.js — Node.js 24.0.1 (Current) Node.js — Node.js 24.0.0 (Current) Node.js — Node.js Test CI Security Incident Node.js — Node.js 22.15.0 (LTS) Node.js — Node.js 20.19.1 (LTS) Node.js — Making Node.js Downloads Reliable Node.js — Node.js 23.11.0 (Current) Node.js — Node.js 23.10.0 (Current) Node.js — Node.js 20.19.0 (LTS) Node.js — Updates on CVE for End-of-Life Versions Node.js — Node.js 23.9.0 (Current) Node.js — Node.js 18.20.7 (LTS) Node.js — Node.js 20.18.3 (LTS) Node.js — Node.js 9.3.0 (Current) Node.js — Data Confidentiality/Integrity Vulnerability, December 2017 Node.js — Node.js 9.2.1 (Current) Node.js — Node.js 8.9.3 (LTS) Node.js — Node.js 4.8.7 (Maintenance) Node.js — Node.js 8.9.2 (LTS) Node.js — Node.js 6.12.1 (LTS) Node.js — Node.js 9.2.0 (Current) Node.js — Node.js 8.9.1 (LTS) Node.js — Node.js 9.1.0 (Current) Node.js — Node.js 0.10.35 (Stable) Node.js — Node.js 0.10.34 (Stable) Node.js — Node.js 0.10.29 (Stable)
Node.js — OpenSSL update, 1.0.2m
2017-10-30 · via Node.js Blog

Rod Vagg

(Update 8-Nov-2017) Node.js Releases

Releases were made available for active lines yesterday, each including the OpenSSL 1.0.2m update. As we have not categorized these strictly as security releases they also contain other minor fixes and additions as per our regular release procedures.

While we don't consider OpenSSL 1.0.2m a critical update, you should make plans to upgrade your deployments as soon as practical.

(Update 2-Nov-2017) Node.js Impact Assessment & Release Plan

The following impact assessment for Node.js of the flaws fixed in OpenSSL 1.0.2m has been provided by Shigeki Ohtsu from our crypto team. Original details about the announcement from the OpenSSL team can be found below.

CVE-2017-3735: OOB read parsing IPAdressFamily in an X.509 certificate

CVE-2017-3735 fixes buffer over-read in parsing X.509 certificates using extensions defined in RFC3779.

Node.js disables RFC3779 support by defining OPENSSL_NO_RFC3779 during compile. It is therefore unlikely that Node.js is impacted in any way by this vulnerability.

CVE-2017-3736: Carry propagating bug in the x86_64 Montgomery squaring procedure

CVE-2017-3736 fixes a carry propagating bug in the x86*64 _Montgomery squaring* procedure.

Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against Diffie-Hellman are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent Diffie-Hellman parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.

CVE-2017-3736 impacts Node.js users but the likelihood of successful attack using the flaw is very low and we therefore deem it to be non-critical.

Additional fixes

OpenSSL 1.0.2m also includes two additional fixes that do not have a CVE assigned to them.

  1. A side channel attack of ECDSA which appears too difficult to execute and can only obtain limited information about a private key.
  2. A fix for TLS servers with SNI enabled. Node.js does not use SSL_set_SSL_CTX in this context so is not impacted.

Release plan

Due to the low impact and low severity of these fixes, we have decided not to push urgent releases of Node.js this week. Releases of all active release lines are scheduled for next Tuesday, the 7th of November and these releases will all include OpenSSL 1.0.2m along with other regular Node.js patches and additions.

Our active release lines are:

  • Node.js 4 LTS "Argon" (Maintenance LTS)
  • Node.js 6 LTS "Boron" (Active LTS)
  • Node.js 8 LTS "Carbon" (Active LTS)
  • Node.js 9 (Current)

We will include an update here once all releases are made available.

Original post is included below


The OpenSSL project has announced (also see their correction) that they will be releasing versions 1.1.0g and 1.0.2m this week, on Thursday the 2nd of November 2017, UTC. The releases will fix one "low severity security issue" and one "moderate level security issue". "Moderate" level security issues for OpenSSL:

... includes issues like crashes in client applications, flaws in protocols that are less commonly used (such as DTLS), and local flaws.

Note that Node.js currently does not support or bundle OpenSSL 1.1.0, so we will focus entirely on 1.0.2m in this release.

Information about the "low" severity security issue is already public:

Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)

If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL could do a one-byte buffer overread. The most likely result would be an erroneous display of the certificate in text format.

As this is a low severity fix, no release is being made. The fix can be found in the source repository (1.0.2, 1.1.0, and master branches); see https://github.com/openssl/openssl/pull/4276. This bug has been present since 2006.

At this stage, due to embargo, it is uncertain what the nature of the "moderate" severity fix is, nor what impact it will have on Node.js users, if any. We will proceed as follows:

Within approximately 24 hours of the OpenSSL 1.0.2m release, our crypto team will make an impact assessment for Node.js users. This information may vary depending for the different active release lines and will be posted here.

As part of that impact assessment we will announce our release plans for each of the active release lines to take into account any impact. Please be prepared for the possibility of important updates to Node.js 4 "Argon", Node.js 6 "Boron", Node.js 8 "Carbon" and Node.js 9 (Current) as soon as Friday, the 3rd of November, 2017.

If our assessment concludes that the OpenSSL "moderate" security issue has very low impact for Node.js users, the Node.js release team may decide to bundle this OpenSSL upgrade with the regular, planned Node.js releases for both LTS and Current release lines and not proceed with special security releases.

Please monitor the nodejs-sec Google Group for updates, including an impact assessment and updated details on release timing within approximately 24 hours after the OpenSSL release: https://groups.google.com/forum/#!forum/nodejs-sec

The current Node.js security policy can be found at https://github.com/nodejs/node/security/policy#security.

Please contact [email protected] if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.