Security updates for all active release lines, June 2016

Rod Vagg

(Update 23-June-2016) Releases available

After a thorough assessment of the fixes we were planning on including, we have decided to scale back this security update to only include a subset. We are deferring some fixes while we improve the required API changes in order to decrease the disruption that it may cause to users. The vulnerabilities that the deferred fixes address are low severity.

Note that there is no Node.js v6 release in this set of updates as it is not impacted by the vulnerabilities being patched.

The fixes we are including in this update are:

CVE-2016-1669 Buffer overflow in V8

Under certain conditions, V8 may improperly expand memory allocations in the Zone::New function. This could potentially be used to cause a Denial of Service via buffer overflow or as a trigger for a remote code execution.

Although this bug is marked as high severity in the corresponding Chromium release (50.0.2661.102), our assessment is that this is low severity for Node.js users due to the level of difficulty in making use of this vulnerability. However, users are encouraged to upgrade their Node.js installation to ensure they are properly protected.

  • Node.js v6 (Current) is not affected as of v6.2.0 due to an update to V8 5.0.71.47, versions prior to v6.2.0 are affected
  • Node.js v5 is affected
  • Node.js v4 (LTS "Argon") is affected
  • Node.js v0.12 (Maintenance) is affected
  • Node.js v0.10 (Maintenance) is affected

CVE-2014-9748 Unsafe use of read/write locks on Windows 2003 and XP in libuv

Prior to libuv version 1.7.4, a flaw in the read/write locks implementation for Windows XP and Windows 2003 could lead to unlocking a CRITICAL_SECTION on the wrong thread, resulting in undefined and potentially unsafe behavior. This problem was identified by Zhou Ran. Node.js v4 and later are not affected as the usage of read/write was replaced with simple mutexes. Further details can be found on the libuv repository.

  • Node.js v6 (Current) is not affected
  • Node.js v5 is not affected
  • Node.js v4 (LTS "Argon") is not affected
  • Node.js v0.12 (Maintenance) is affected
  • Node.js v0.10 (Maintenance) is affected

Downloads

Please note that this may be the final release of the v5.x line as support ends on the 30th of June.


(Update 16-June-2016) Adjusted release schedule

Unfortunately we have to announce that we are delaying our security releases by a week. We have concluded that pushing forward with the releases this week would unnecessarily compromise the quality of the fixes we intended to include. Instead, we will be taking the extra time to be sure that we are delivering the stability and quality that Node.js users expect.

We now intend to make releases available on or soon after Thursday, the 23rd of June, 2016, UTC.

Original post is included below


The Node.js project has scheduled updates for all of its active release lines to patch two security flaws and one security-related usability flaw. We do not consider any of our updates to be critical, however, it is recommended that all production instances of Node.js be upgraded when the releases are made available.

We intend to make releases available on or soon after Thursday, the 16th of June, 2016, UTC.

We consider some of the patches in these releases to be API breaking changes which would normally warrant an increase in the major-version number of Node.js. However, in accordance with our security procedures we will be delivering these changes in minor-version increases (the y in x.y.z) where appropriate, and patch-version increases in v0.10 an v0.12 releases.

Therefore, we expect to be releasing:

  • Node.js v6.3.0 (Current)
  • Node.js v5.12.0
  • Node.js v4.5.0 (LTS "Argon")
  • Node.js v0.12.15 (Maintenance)
  • Node.js v0.10.46 (Maintenance)

While we anticipate minimal impact from the breaking changes, please be sure to review the details once they are released and make an assessment regarding the impact on your applications.

Additional notes:

  • It is our intention to stop releasing critical updates for the v5 release line at the end of this month, you should migrate to v6 or v4 LTS if you have not already done so.
  • In accordance with our security release procedures, we will be limiting changes included in the LTS and Maintenance lines (v4, v0.12 and v0.10) for these updates to only security-related and critical fixes to provide maximum stability for users.

V8 security defect

The V8 team has identified and patched a potential security vulnerability. We will be backporting the fix to all active release lines of Node.js. Our current assessment is that this vulnerability should be considered low-severity for Node.js users with an exploit being very difficult to develop and execute.

All versions of Node.js are affected.

HTTP processing security defect (CVE-2016-5325)

We will be including fixes relating to Node.js HTTP processing. We categorise these as low-severity and are not aware of any existing exploits leveraging the defects. Full details are embargoed until new releases are available.

Common Vulnerability Scoring System (CVSS) v3 Base Score:

MetricScore
Base Score:4.8 (Medium)
Base Vector:CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector:Network (AV:N)
Attack Complexity:High (AC:H)
Privileges Required:None (PR:N)
User Interaction:None (UI:N)
Scope of Impact:Unchanged (S:U)
Confidentiality Impact:Low (C:L)
Integrity Impact:Low (I:L)
Availability Impact:None (A:N)

Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.

All versions of Node.js are affected.

This defect will identified as CVE-2016-5325

We intend to also include a patch for HTTP client in Node.js. While we do not consider this to be strictly a security concern for Node.js core, it poses a usability concern that may easily enable users to write code that exposes vulnerabilities in their applications.

All versions of Node.js are affected.

Contact and future updates

Please monitor the nodejs-sec Google Group for updates: https://groups.google.com/forum/#!forum/nodejs-sec or the Node.js website for release announcements: /blog/

The current Node.js security policy can be found at https://github.com/nodejs/node/security/policy#security.

Please contact security@nodejs.org if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.