Closed JorisVanEijden closed 5 years ago
Thanks @JorisVanEijden I'll check the necessary updates to fix this.
@JorisVanEijden can you try the version 2.10.3?
2.10.3 ships with 7.9.0 too. 2.10.4 contains node 8.2.1 which is 3 security releases behind:
Again, I have no idea if any of these are actually exploitable in Rocket.Chat.
@JorisVanEijden please try version 2.10.5
2.10.5 also has node 8.2.1
My Setup
Description
Windows version comes with node.dll v7.9.0 which has a security issue (https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/) Fixed version is 7.10.1
Current Behavior
Node version with known security vulnerabilities used.
Expected Behavior
Node version with no known security vulnerabilities used.
Disclaimer
I am not personally aware of specific ways to abuse this vulnerability. I just get alerts from our security software when users install Rocket.Chat.