Security Advisories - Node.js & io.js

[StrongLoop]

Please subscribe to this thread to be notified of any security advisories related to Node.js and io.js

[StrongLoop]

March 14, 2015 

Security Advisory: libuv- incorrect revocation order while relinquishing privileges

A security vulnerability that potentially allows for local privilege escalation was recently announced (CVE-2015-0278). This affects node v0.10.36 and earlier.
 
It was found v0.10.36 and earlier that libuv did not call setgroups before calling setuid/setgid when spawning a child process. The child process might retain the privileges that were supposed to be dropped. This is fixed by also calling `setgroups` which removes any extraneous groups and drop the user to the expected privileges.
 
This security issue affects node applications that create child processes, while using the ‘setuid’ or ‘setgid’ option to limit the privileges that the child process has. Applications that do not use this feature are unaffected.
 
The newly released v0.10.37 has a fix to this above issue and can be downloaded from http://nodejs.org/dist/v0.10.37.
 
Please see the original bug report for more details and let me know if you have any further questions.

[StrongLoop]

Node.js v0.10.38 includes upgraded OpenSSL(1.0.1m) and fixes several CVEs

As you may have noticed there were a few CVEs disclosed recently related to OpenSSL. This newly released version of Node.js includes the upgraded OpenSSL and a few other fixes. 
StrongLoop recommends that our users upgrade to this new release since it addresses multiple security related issues. Please post on our forums if you have any questions.
Thanks,

Sumitha