Node.dll insecure version

[JorisVanEijden]

My Setup

• Windows 10
• Rocket.Chat+ 2.10.2

• [x] I have tested with the latest application version
• [x] I can simulate the issue easily

Description

Windows version comes with node.dll v7.9.0 which has a security issue (https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/) Fixed version is 7.10.1

Current Behavior

Node version with known security vulnerabilities used.

Expected Behavior

Node version with no known security vulnerabilities used.

Disclaimer

I am not personally aware of specific ways to abuse this vulnerability. I just get alerts from our security software when users install Rocket.Chat.

[gdelavald]

Thanks @JorisVanEijden I'll check the necessary updates to fix this.

[engelgabriel]

@JorisVanEijden can you try the version 2.10.3?

[JorisVanEijden]

2.10.3 ships with 7.9.0 too. 2.10.4 contains node 8.2.1 which is 3 security releases behind:

• https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/
• https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
• https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/

Again, I have no idea if any of these are actually exploitable in Rocket.Chat.

[engelgabriel]

@JorisVanEijden please try version 2.10.5

[JorisVanEijden]

2.10.5 also has node 8.2.1