Node.js 預定在十月 24 號發表安全性更新

在「DOS security vulnerability, October 2017」這邊先發佈了日期與影響範圍,細節預定在 10/24 發表:

The Node.js project will be releasing new versions of 4.x, 6.x, and 8.x the week of the 24th of October to incorporate a security fix.

Versions 4.8.2 and later of Node.js are vulnerable.
Versions 6.10.2 and later of Node.js are vulnerable.
Versions 8.x of Node.js are vulnerable.

有心人應該可以去翻 4.8.2 改了什麼 (或是 6.10.2),不知道是不是跟前陣子的「V8 對 Hash Flooding 的防禦措施」有關...

cURL 接下來的安全性更新...

cURL 的維護老大放話要大家注意接下來的安全性更新:「An alert on the upcoming 7.51.0 release」。

最少 11 個安全性更新:

This release will bundle no less than _eleven_ security advisories and their associated fixes (unless we get more reported in the time we have left).

由於這些 security issue 的特性,會採取不公開的 branch 修正再 merge 回來,再加上這麼大的數量,對於穩定性的衝擊是未知的:

Merging eleven previously non-disclosed branches into master just before a release is not ideal but done so to minimize the security impact on existing users when the problems get known.

所以目前的規劃是會在 release 的 48 個小時前公開 (希望藉由這封信讓有能力的人一起集中來看),藉此來降低衝擊:

My plan is to merge them all into master and push around 48 hours before release, watch the autobuilds closesly, have a few extra coverity scans done and then fix up what's found before the release.

這安全更新的數量好像有點多 orz

歷史上的爆炸記錄?

在「a brief history of one line fixes」列出了許多經典的問題...

裡面最有印象的還是 2008 年 Debian OpenSSL 問題,也因為這個問題影響太嚴重,後來預設會安裝 openssl-blacklist 這個套件,在連線時檢查是不是有問題的 key...

然後 Android memset() 那個很精彩啊 XDDDDDDDDDDD