Node.js 5.7 released ahead of impending OpenSSL updates

The Node.js Foundation is gearing up this week for fixes to OpenSSL that could mean updates to Node.js itself.

Releases to OpenSSL due on Tuesday will fix defects deemed to be of “high” severity, Rod Vagg, foundation technical steering committee director, said in a blog post on Monday. Within a day of the OpenSSL releases, the Node.js crypto team will assess their impacts, saying, “Please be prepared for the possibility of important updates to Node.js v0.10, v0.12, v4 and v5 soon after Tuesday, the 1st of March.”

The high severity status actually means the issues are of lower risks than critical, perhaps affecting less-common configurations or less likely to be exploitable. Due to an embargo, the exact nature of these fixes and their impact on Node.js remain uncertain, said Vagg. “Node.js v0.10 and v0.12 both use OpenSSL v1.0.1, and Node.js v4 and v5 both use OpenSSL v1.0.2, and releases from nodejs.org and some other popular distribution sources are statically compiled. Therefore, all active release lines are impacted by this update.” OpenSSL also impacted Node.js in December, when two critical vulnerabilities were fixed.

To read this article in full or to leave a comment, please click here