blog: aug 2019 security post-release announcement #2412

sam-github · 2019-08-15T17:44:13Z

Waiting on actual release to update timestamps and merge.

richardlau · 2019-08-15T18:06:01Z

It looks like some of the fixes are revertible (via --security-reverts=). Do we document those?

richardlau · 2019-08-15T18:09:01Z

It looks like some of the fixes are revertible (via --security-reverts=). Do we document those?

(Also it looks like the flag is --security-revert= in 8.x and --security-reverts= in 10.x and 12.x which is an annoying inconsistency.)

sam-github · 2019-08-15T19:00:38Z

In these cases, I would rather not doc the sec reverts. They are there if anyone reports problems, but there weren't any concerns raised about the limits during PR review, they seem pretty generous and unlikely to be hit by normal apps.

The inconsistency is not good. I think it was a typo introduced in https://github.com/addaleax/node/blob/be4a3b658a692d390f4fa9a187189c2ee993de1c/src/node_options.cc#L137 but probably not noticed because there were no revertible CVEs at the time.

I don't think this should be fixed now, but maybe it is worth fixing on master for next time, if there is one? EDIT or perhaps it was intentional because the argument is an array? Not sure

It was called --security-revert prior to 12.x, but changed in nodejs#22490. See: nodejs/nodejs.org#2412 (comment)

It was called --security-revert prior to 12.x, but changed in #22490. See: nodejs/nodejs.org#2412 (comment) PR-URL: #29153 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>

sam-github added a commit to sam-github/node that referenced this pull request Aug 15, 2019

src: rename --security-reverts to ...-revert

89a2ac8

It was called --security-revert prior to 12.x, but changed in nodejs#22490. See: nodejs/nodejs.org#2412 (comment)

sam-github mentioned this pull request Aug 15, 2019

src: rename --security-reverts to ...-revert nodejs/node#29153

Closed

4 tasks

sam-github marked this pull request as ready for review August 15, 2019 22:41

blog: aug 2019 security post-release announcement

caaccec

sam-github force-pushed the 19-08-sec-announce-post branch from 8b1c0cd to caaccec Compare August 15, 2019 22:45

BethGriggs approved these changes Aug 15, 2019

View reviewed changes

addaleax approved these changes Aug 15, 2019

View reviewed changes

richardlau approved these changes Aug 15, 2019

View reviewed changes

Trott approved these changes Aug 15, 2019

View reviewed changes

sam-github merged commit 68dddad into master Aug 15, 2019

sam-github deleted the 19-08-sec-announce-post branch August 15, 2019 22:50

NOUIY mentioned this pull request May 10, 2022

[Snyk] Upgrade marked from 4.0.8 to 4.0.14 NOUIY/nodejs.org#92

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

blog: aug 2019 security post-release announcement #2412

blog: aug 2019 security post-release announcement #2412

sam-github commented Aug 15, 2019

richardlau commented Aug 15, 2019

richardlau commented Aug 15, 2019

sam-github commented Aug 15, 2019 •

edited

Loading

blog: aug 2019 security post-release announcement #2412

blog: aug 2019 security post-release announcement #2412

Conversation

sam-github commented Aug 15, 2019

richardlau commented Aug 15, 2019

richardlau commented Aug 15, 2019

sam-github commented Aug 15, 2019 • edited Loading

sam-github commented Aug 15, 2019 •

edited

Loading