Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
doc: simplify valid security issue descriptions
PR-URL: #23881
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
- Loading branch information
Showing
with
4 additions
and
5 deletions.
-
+4
−5
README.md
|
|
@@ -182,18 +182,17 @@ nonetheless. |
|
|
### Private disclosure preferred |
|
|
|
|
|
- [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/): |
|
|
_Fix invalid wildcard certificate validation check_. This is a high severity |
|
|
defect that would allow a malicious TLS server to serve an invalid wildcard |
|
|
certificate for its hostname and be improperly validated by a Node.js client. |
|
|
_Fix invalid wildcard certificate validation check_. This was a high-severity |
|
|
defect. It caused Node.js TLS clients to accept invalid wildcard certificates. |
|
|
|
|
|
- [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes |
|
|
the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities |
|
|
in the TLS/SSL protocols also affect Node.js. |
|
|
|
|
|
- [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/): |
|
|
_Fix defects in HTTP header parsing for requests and responses that can allow |
|
|
response splitting_. While the impact of this vulnerability is application and |
|
|
network dependent, it is remotely exploitable in the HTTP protocol. |
|
|
response splitting_. This was a remotely-exploitable defect in the Node.js |
|
|
HTTP implementation. |
|
|
|
|
|
When in doubt, please do send us a report. |
|
|
|
|
|
|
