Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a warning on EOL versions #1401

Open
RafaelGSS opened this issue Nov 19, 2024 · 21 comments
Open

Add a warning on EOL versions #1401

RafaelGSS opened this issue Nov 19, 2024 · 21 comments

Comments

@RafaelGSS
Copy link
Member

I was talking with @marco-ippolito and we were discussing having ways for people to know when they are using an insecure version of Node.js. Instead of having a flag (#852), what if we release a patch version after one or two months of EOL alerting users they are using an EOL version?

I mean, if they pin the version and don't get the last release, they won't see the warning, but I assume it will affect most users. We could try to do it to non-LTS versions first, and then we expand the coverage to all EOL versions (starting this year, of course).

cc: @nodejs/security-wg @nodejs/tsc

@mhdawson
Copy link
Member

@RafaelGSS as you mentioned if they pin they won't get a warning.

If instead we published as CVE indicating the release was EOL they would get if they are running CVE scans. I suspect this would be a more reliable way of having it be recognized as a risk.

@marco-ippolito
Copy link
Member

marco-ippolito commented Nov 20, 2024

The CVE could be for weakness CWE-1104 or CWE-1329
which would make sense

@RafaelGSS
Copy link
Member Author

I think we could do both, issue a single CVE alerting EOL (after a sec release) and create a patch release with a warning?

@mhdawson
Copy link
Member

I think doing both makes sense to me, provide we have a volunteer to do the patch release (as I think that's more work that doing the CVE).

@mhdawson
Copy link
Member

In terms of the CVE's I think I prefer CWE-1104 as it is possible to update Node.js, you just need to move to a later Major so CWE-1329 does not seem like as good a fit to me.

@RafaelGSS
Copy link
Member Author

Right, how can we move forward with it? Should we open a PR to document it somewhere?

@ljharb
Copy link
Member

ljharb commented Nov 26, 2024

For the warning, presumably there'd be an env/NODE_OPTIONS way to disable it, so as to not break CI and child process workflows?

@RafaelGSS
Copy link
Member Author

Yes, we can use the same --security-revert CLI

@mcollina
Copy link
Member

mcollina commented Dec 1, 2024

I'm not entirely convinced a warning is needed, but the idea of a cve is great.

Can we start by issuing one for all past releases?

@marco-ippolito
Copy link
Member

marco-ippolito commented Dec 1, 2024

I'm not entirely convinced a warning is needed, but the idea of a cve is great.

Can we start by issuing one for all past releases?

I think so, I think it needs to go through a H1 report

@RafaelGSS
Copy link
Member Author

Let's do it for v16.x, v19.x, and v21.x. I can take care of it early this week.

@RafaelGSS
Copy link
Member Author

I've been talking with @rginn who suggested announcing on Node.js social before making this move. I asked her to provide some details about openjs health here.

@RafaelGSS
Copy link
Member Author

FYI I'm going to create an "announcement" (https://github.com/orgs/nodejs/discussions/categories/announcements) informing Node.js collaborators that next week we'll be issuing a CVE for Node.js 16, 19 and 21, then I'll ask @nodejs/social to share a post that I can create or the official account can create informing our users.

@mcollina
Copy link
Member

@RafaelGSS please write a public blog post instead, and set the date on or after the 7th of January. Doing this right before the holidays is not helping anyone.

@rginn
Copy link

rginn commented Dec 10, 2024

+1 for a blog post holiday. I would not announce on social media without giving adequate information and context via a blog. Jen and I can help with the draft and posting across our channels.

@RafaelGSS
Copy link
Member Author

@RafaelGSS please write a public blog post instead, and set the date on or after the 7th of January. Doing this right before the holidays is not helping anyone.

Ok, that makes sense. I can write a draft and ask for Jan, Robin and TSC input. I will put it on my backlog

@RafaelGSS
Copy link
Member Author

Please see: nodejs/nodejs.org#7328

github-merge-queue bot pushed a commit to nodejs/nodejs.org that referenced this issue Jan 6, 2025
* blog: add Upcoming CVE for EOL Versions post

Refs: nodejs/security-wg#1401

* update: mention openjs ecosystem sustainability program

* update: mention openjs ecosystem sustainability program

* fixup! update: mention openjs ecosystem sustainability program

* Update apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md

Co-authored-by: Michael Dawson <[email protected]>
Signed-off-by: Rafael Gonzaga <[email protected]>

* fixup! Update apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md

---------

Signed-off-by: Rafael Gonzaga <[email protected]>
Co-authored-by: Michael Dawson <[email protected]>
@marco-ippolito
Copy link
Member

It would be intersting if the CVE will be picked up by security tools like snyk cc @lirantal

@ljharb
Copy link
Member

ljharb commented Jan 7, 2025

I would assume it would be automatically picked up, just like other CVEs?

@RafaelGSS
Copy link
Member Author

I'll issue the CVEs in the next security release

nodejs-github-bot pushed a commit to nodejs/node that referenced this issue Jan 10, 2025
Refs: nodejs/security-wg#1401
PR-URL: #56520
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
Reviewed-By: Ulises Gascón <[email protected]>
targos pushed a commit to nodejs/node that referenced this issue Jan 13, 2025
Refs: nodejs/security-wg#1401
PR-URL: #56520
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
Reviewed-By: Ulises Gascón <[email protected]>
Ceres6 pushed a commit to Ceres6/node that referenced this issue Jan 13, 2025
Refs: nodejs/security-wg#1401
PR-URL: nodejs#56520
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
Reviewed-By: Ulises Gascón <[email protected]>
@Viajaz
Copy link

Viajaz commented Jan 23, 2025

It would be useful if a list of which third-party components (e.g., OpenSSL v1, llhttp) are problematic when using CWE-1104 for your CVEs (e.g., CVE-2025-23088, CVE-2025-23089).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants