The OpenSSL project has
announced that that they will be releasing versions 1.0.1t and 1.0.2h this week, on
Tuesday the 3rd of May, UTC. The releases will fix
"several security defects" that are labelled as
"high" severity under their security policy, meaning they are:
...
issues that are of a lower risk than critical, perhaps due to affecting
less common configurations, or which are less likely to be exploitable.
Node.js v0.10 and v0.12 both use OpenSSL v1.0.1 and Node.js v4, v5 and v6 use OpenSSL v1.0.2 and releases from
nodejs.org
and some other popular distribution sources are statically compiled.
Therefore, all active release lines are impacted by this update.
At
this stage, due to embargo, it is uncertain the exact nature of these
defects, nor what impact they will have on Node.js users, if any. We will proceed as follows:
Within
approximately 24 hours of the OpenSSL releases, our crypto team will
make an impact assessment for Node.js users of the OpenSSL releases.
This information may vary depending for the different active release
lines and will be posted here.
As part of that impact assessment
we will announce our release plans for each of the active release lines
to take into account any impact.
Please be prepared for the
possibility of important updates to Node.js v0.10, v0.12, v4, v5 and v6 soon
after Tuesday, the 3rd of May. It is likely that if upgrades are required that they will be ready on or after Thursday, the 5th of May.
Note that Node.js v5 will be supported until June and will therefore be included in this set of releases.
Please monitor the
nodejs-sec
Google Group for updates, including an impact assessment and updated
details on release timing within approximately 24 hours after the
OpenSSL release:
https://groups.google.com/forum/#!forum/nodejs-secContact and future updatesThe current Node.js security policy can be found at
https://nodejs.org/en/security/.
Please contact
secu...@nodejs.org if you wish to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only
nodejs-sec mailing list at
https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the
nodejs GitHub organisation.