Skip to content
  • Software version in nodeinfo

    ActivityPub
    2
    5 Votes
    2 Posts
    228 Views
    J
    @julian said in Software version in nodeinfo: The other line of thinking is that relying on security by obscurity is fallacious, but since it's only one facet of a broader security posture (the rest of it being keeping up with updates, writing as secure code as you can, reporting/bounty systems, audits, etc.), I honestly don't see a problem with transmitting as little information as I can. The only thing in all of this that is relevant to the software operator (i.e. not nodebb developers but those using it as self-hosting) is tracking updates and applying them quickly, so I'm against exposing the version number in a way that would allow bots to easily identify which nodebb installations around the world are still vulnerable
  • Security Vulnerability Notifications

    NodeBB Development
    2
    4 Votes
    2 Posts
    1k Views
    julianJ
    Additionally, a note about how our disclosures are reported. As outlined in our security policy, we maintain a bug bounty program. We use this as a central point of contact for reported vulnerabilities so that they do not get unintentionally exposed for exploit, and to keep better track of them over time. BUG BOUNTY HOMEPAGE/RULES Included in that bug bounty page is a Hall of Fame, a list of users who have claimed credit for discovering bugs. It also provides a rough history of awarded bounties and vulnerabilities as well.
  • NodeBB 2.8.17 & 3.3.5 Security Releases

    NodeBB Development
    16
    1 Votes
    16 Posts
    1k Views
    FrankMF
    I somehow got it to v3.3.5 now. Please do not ask how I'm thinking about reinstalling to start cleanly.
  • 5 Votes
    2 Posts
    1k Views
    barisB
    Just a heads up 1.x is no longer supported. 2.x will be supported for another 12 months up to August 2025.
  • 4 Votes
    1 Posts
    312 Views
    barisB
    A bug in our socket.io authentication code can result in Cross-Site WebSocket Hijacking (CSWSH) Affected versions <2.8.13 & <3.1.3 We have resolved this in the latest version of NodeBB(2.8.13 & 3.1.3), and the fix has already been rolled out as a patch on all of our hosted customers. The fix is included in the latest 2.8.13 & 3.1.3 releases https://github.com/NodeBB/NodeBB/releases/tag/v2.8.13 https://github.com/NodeBB/NodeBB/releases/tag/v3.1.3
  • NodeBB 2.8.7 Security Update

    NodeBB Development
    1
    2 Votes
    1 Posts
    307 Views
    barisB
    A bug in our message parsing code can result in remote code execution. Affected versions >=2.5.0 <2.8.7 We have resolved this in the latest version of NodeBB(2.8.7), and the fix has already been rolled out as a patch on all of our hosted customers. The fix is included in the latest 2.8.7 release https://github.com/NodeBB/NodeBB/releases/tag/v2.8.7. If you are not able to upgrade to the latest release, you can also cherry-pick or apply this commit manually https://github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092
  • NodeBB 2.8.1 Security Update

    Moved NodeBB Development
    4
    3 Votes
    4 Posts
    640 Views
    barisB
    It is basically the same vulnerability exploited with a different socket call. The initial fix in 2.6.1 only prevented a specific case, the fix in 2.8.1 should cover all cases. You can either upgrade to 2.8.1 or only get the changes from the specific commit.
  • NodeBB 2.6.1 Security Update

    Moved NodeBB Development
    2
    2 Votes
    2 Posts
    735 Views
    julianJ
    The security advisory has now been published