Thursday, February 11, 2016

Node.js Security Release

Node.js has just updated all its release lines to address several security issues.

Versions 0.10.42, 0.12.10, 4.3.0 and 5.6.0 addresses HTTP related vulnerabilities and also update the bundled OpenSSL version.  

Specifically solves the following issues:
  • CVE-2016-2086 Request Smuggling Vulnerability
  • CVE-2016-2216 Response Splitting Vulnerability
  • CVE-2016-0701 DH small subgroups
  • CVE-2015-3197 SSLv2 doesn't block deactivated ciphers
If you want to read more about these issues, you can check out the Node.js official announcement.

We have released new versions of Bitnami Node.js installers, virtual machines and Amazon EC2, Google, Oracle, VMware vCloud Air, DigitalOcean and Azure cloud images that fix these issues. We also released Bitnami MEAN stack and continue working on update other Node.js applications.

Have questions about Bitnami Node.js or the security issue? Post to our community forum, and we would be happy to help you.