doc: releases avail for oct DOS sec vuln

PR-URL: #1420 Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
nodejs · Oct 24, 2017 · cd28b55 · cd28b55
1 parent bb2efed
commit cd28b55
Showing 1 changed file with 38 additions and 1 deletion.
diff --git a/locale/en/blog/vulnerability/oct-2017-dos.md b/locale/en/blog/vulnerability/oct-2017-dos.md
@@ -1,12 +1,49 @@
 ---
-date: 2017-10-17T19:30:00.617Z
+date: 2017-10-24T22:00:00.617Z
 category: vulnerability
 title: DOS security vulnerability, October 2017
 slug: oct-2017-dos
 layout: blog-post.hbs
 author: Michael Dawson
 ---
 
+# _(Update 24-October-2017)_ Releases available
+
+## Summary
+
+Updates are now available for all active Node.js release lines.  These include the fix for the vulnerability identified in the initial announcement.
+
+We recommend that all users upgrade as soon as possible.
+
+**Downloads**
+* [Node.js v8 (Current)](https://nodejs.org/en/blog/release/v8.8.0)
+* [Node.js v6 (LTS "Boron")](https://nodejs.org/en/blog/release/v6.11.5)
+* [Node.js v4 (LTS "Argon")](https://nodejs.org/en/blog/release/v4.8.5)
+
+## Node.js-specific security flaws
+
+Node.js was susceptible to a remote DoS attack due to a change that came in as part of
+zlib v1.2.9.  In zlib v1.2.9 `8` became an invalid value for the `windowBits` parameter
+and Node's zlib module will crash or throw an exception (depending on the version) if you call:
+```
+zlib.createDeflateRaw({windowBits: 8})
+```
+The `windowBits` parameter controls how much of a message zlib keeps in memory
+while compressing it. A larger "window", as it's called, means more
+opportunities to spot and compress repeated bits of text, but results in higher
+memory usage. windowBits is the base-2 logarithm of the size of this window in
+bytes, and previously could take any integer value from 8 to 15.
+
+This problem (Node.js crashing or throwing an exception) could be remotely exploited using some of the existing WebSocket clients that may request a value of `8` for `windowBits` in certain cases or with a custom built WebSocket client.  There may also exist other vectors through which a zLib operation would be initiated by a remote request with a window size that results in a value of `windowBits` of 8.
+
+This problem was resolved within Node.js by changing any request for a `windowBits` size of 8 to use a `windowsBits` size of 9 instead.  This is consistent with previous zLib behavior and we believe minimizes the impact of the change on existing applications.
+
+This vulnerability has been assigned CVE-2017-14919.
+
+
+***Original post is included below***
+
+--------------------------------------
 # Summary
 The Node.js project will be releasing new versions of 4.x, 6.x, and 8.x the week of the 24th of October to incorporate a security fix.