Skip to content

Commit 3ff8ba2

Browse files
rvaggrvagg
committed
Blog: october 2016 security releases
Refs: #967
1 parent 76fae4f commit 3ff8ba2

1 file changed

Lines changed: 40 additions & 0 deletions

File tree

locale/en/blog/vulnerability/october-2016-security-releases.md

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
---
2+
date: 2016-10-15T10:36:44.649Z
3+
category: vulnerability
4+
title: October security releases and v6 LTS "Boron" security inclusions
5+
slug: october-2016-security-releases
6+
layout: blog-post.hbs
7+
author: Rod Vagg
8+
---
9+
10+
### Node.js v6 LTS security inclusions
11+
12+
Next week, on Tuesday the 18th (late evening UTC), the Node.js Foundation will be launching its second new LTS release line, a continuation of the v6.x series of releases. This line will be codenamed "Boron" and the first version will be v6.9.0.
13+
14+
In addition to a change to introduce the `process.release.lts` property, set to `'Boron'`, we will also be including 3 low-severity security patches that only apply to the v6.x release series.
15+
16+
The security vulnerabilities being addressed are all low-severity and arise from Node.js dependencies:
17+
18+
* V8
19+
* OpenSSL when Node.js is built in [FIPS-compliant mode](https://github.com/nodejs/node/blob/master/BUILDING.md#building-nodejs-with-fips-compliant-openssl) (not official builds)
20+
* v8_inspector, a new experimental debugging protocol
21+
22+
These patches will also be included in the new v7.x _Current_ (non-LTS) release series which is due to be launched later this month.
23+
24+
* Node.js v6 ***is affected***
25+
* Node.js v4 (LTS "Argon") ***is not affected***
26+
* Node.js v0.12 (Maintenance) ***is not affected***
27+
* Node.js v0.10 (Maintenance) ***is not affected***
28+
29+
### CVE-2016-5180 "ares_create_query single byte out of buffer write"
30+
31+
A security vulnerability has been [discovered in the c-ares library](https://c-ares.haxx.se/adv_20160929.html) that is bundled with all versions of Node.js. Due to the difficulty of triggering and making use of this vulnerability we currently consider this a low-severity security flaw for Node.js users.
32+
33+
The patch has already been included in Node.js v6 and we will ensure that patched versions of the remaining affected versions are made available by Tuesday the 18th.
34+
35+
* Node.js v6 ***is not affected***
36+
* Node.js v4 (LTS "Argon") ***is affected***
37+
* Node.js v0.12 (Maintenance) ***is affected***
38+
* Node.js v0.10 (Maintenance) ***is affected***
39+
40+
We apologise for the short notice of these releases.

0 commit comments

Comments
 (0)