-
Notifications
You must be signed in to change notification settings - Fork 17.4k
Address libnode vulnerability #19583
Comments
I tried building the latest Atom from master branch and the libnode.so shows that it is only v10.2 even though I've compiled it using NodeJS v10.16. Is there some mistake or is this using an older node? |
Thanks for the heads up! The version of Node that Atom uses comes via Electron. So any updates to the version of Node that we use would come specifically with us upgrading our version of Electron (e.g. #19373 for example). We also keep an eye out for any releases of Electron that fix security vulnerabilities and update Atom as needed.
This comes from Electron, you can see by running
master is currently on Electron 3 which uses Node v10.2 (https://github.com/electron/node). Since these CVEs aren't something we would specifically resolve directly in Atom, we'll go ahead and close this out but thanks again for the heads up! |
@rsese any reason why we are not moving to Electron v4 or v5? These versions has newer dependencies that would help in this issue. |
Upgrading Electron in a massive project like Atom isn't a simple undertaking as there are many parts that it touches on, being the core runtime after all. You can see previous efforts in the Electron 3 PRs (#18815, #18916), and @rsese already linked you to the current work on Electron 4 in #19373. Feel free to subscribe to that PR if you are interested in following along as the team works on getting that stable 😉. |
@Arcanemagus Thanks for the clarification. Must have missed that #19373 while I was reading. |
This issue has been automatically locked since there has not been any recent activity after it was closed. If you can still reproduce this issue in Safe Mode then please open a new issue and fill out the entire issue template to ensure that we have enough information to address your issue. Thanks! |
Description
Discovered vulnerability on libnode.so in Atom
CVE-2018-7161
CVE-2018-7167
CVE-2018-12122
CVE-2018-12121
CVE-2018-12116
CVE-2018-12115
CVE-2018-1000168
CVE-2018-7160
CVE-2017-15399
CVE-2017-5132
CVE-2017-5122
CVE-2017-5121
CVE-2017-15413
CVE-2017-15406
CVE-2017-15896
CVE-2017-14952
Atom seems to be using an older version of NodeJS. Please review and see if these vulnerabilities are valid.
Versions
1.37.0
1.38.0
The text was updated successfully, but these errors were encountered: