Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update version of ws to handle node security advisory #931

Closed
vielmetti opened this issue Jul 5, 2016 · 13 comments
Closed

Update version of ws to handle node security advisory #931

vielmetti opened this issue Jul 5, 2016 · 13 comments

Comments

@vielmetti
Copy link
Contributor

The current packages.json loads a version of ws that is reported to have a denial of service condition noted here:

https://nodesecurity.io/advisories/120

"DoS due to excessively large websocket message June 24th, 2016"

and the upstream issue (now resolved) is

nodejs/node#7388

with the recommendation to update ws (at this writing the latest is 1.1.1).

Note that this would be a breaking change for anyone still running on 0.10.x of node.js, as the release notes say: "Discontinued support for all node versions except for 0.12, 4.0 and 5.0."

https://github.com/websockets/ws/releases
@knolleary
Copy link
Member

Indeed, the breaking of node.js 0.10 is precisely why we've not been able to update already.

@YasharF
Copy link

YasharF commented Jul 30, 2016
edited

https://github.com/nodejs/LTS is stating that node 0.10.x is going to be in end of life in two months. Keeping security vulnerabilities for everyone because there are old devices that can't support newer patched and secure software, is a practice that needs to be improved. How about all of the following as the solution to resolve this issue:

  1. Do a breaking major version increment for node-red.
  2. Upgrade wsas part of the major version increment of node-red. Also, upgrade other dependencies that have vulnerabilities, see tough-cookie and requestJS listed at https://snyk.io/test/npm/node-red
  3. (optional) Continue maintaining and back-porting changes to a nodejs 0.10 compatible branch until nodejs 0.10 end of support on 10/1/2016
  4. Communicate to the community about the breaking major version increment and the issue with nodejs 0.10, and that it is done to address vulnerabilities. (optional: communicate that you will discontinuing backporting other changes to the 0.10 compatible branch starting 10/1/2016.)
  5. Communicate to the community that https://github.com/nodejs/LTS is stating that node 0.12.x is going to be in end of life at the end of 2016, and that after that date node-red won't actively maintained to support NodeJS 0.12.x either.

@knolleary
Copy link
Member

We are well aware of all this and are trying to come up with the plan to handle it.

The main problem is the Raspberry pi. Based on Debian Stable, it isn't going to move away from 0.10 in its official repos or many months - way past 0.10s eol.

We are investigating options to help the Pi team move up quicker than Debian Stable is... but there are no quick/easy solutions.

But clearly this needs resolving.

@YasharF
Copy link

YasharF commented Jul 30, 2016
edited

I don't use Raspberry pi, would something like the following as one of the steps in node-red documents for moving to the new breaking major version of node-red help?

@knolleary
Copy link
Member

The problem is not how you manually install node 4 on a pi. We provide those instructions and it is easy enough to do. The problem is what is preinstalled on the Raspbian image; which must be packaged as Debian deb and takes from the Debian Stable release. The version of node the official repos offer is 0.10 and there's no escaping that.

As I said, we are actively working through a number of options.

@knolleary
Copy link
Member

http://nodered.org/docs/hardware/raspberrypi.html#manual-install

@dceejay
Copy link
Member

dceejay commented Jul 30, 2016

In the latest version for Pi, we also include a script
update-nodejs-and-nodered
That will remove the built in version 0.10 and install the latest LTS 4.4 and node-red from npm .
We haven't really documented this as it uses sudo a lot, and could easily mess up an existing install. (It works fine if used straight after a clean install)
And also of course it doesn't actually fix this particular ws dependency issue.

@ddm
Copy link

ddm commented Nov 8, 2016

I just verified that the current version of node is still 0.10.29 on raspbian (stable). I understand that breaking raspberry pi "out of the box" support would be unacceptable.

What is the recommended way to mitigate the following advisories with the latest node-red version ?
https://nodesecurity.io/advisories/120
https://nodesecurity.io/advisories/67

@hardillb
Copy link
Member

hardillb commented Nov 8, 2016

@ddm the script that @dceejay mentions will upgrade to latest node 4.x build. This script is bundled with the out of the box node-red install. So while it ships venerable it includes the mechanism to upgrade and fix things.

@knolleary
Copy link
Member

Our next release, 0.16, will drop support for node 0.10 and enable us to update these modules (and others) that have already dropped support for node 0.10.

@ddm
Copy link

ddm commented Nov 8, 2016

@hardillb I understand how to upgrade node.js either manually or using the script but does the script address the ws version ?
@knolleary Very cool! Thank you :)

@dceejay dceejay mentioned this issue Dec 16, 2016
Closed
@knolleary
Copy link
Member

Done in 0.16

@knolleary
Copy link
Member

(which will be released in the next few days)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@vielmetti @knolleary @ddm @hardillb @dceejay @YasharF