@julian said in Software version in nodeinfo: The other line of thinking is that relying on security by obscurity is fallacious, but since it's only one facet of a broader security posture (the rest of it being keeping up with updates, writing as secure code as you can, reporting/bounty systems, audits, etc.), I honestly don't see a problem with transmitting as little information as I can. The only thing in all of this that is relevant to the software operator (i.e. not nodebb developers but those using it as self-hosting) is tracking updates and applying them quickly, so I'm against exposing the version number in a way that would allow bots to easily identify which nodebb installations around the world are still vulnerable

Additionally, a note about how our disclosures are reported. As outlined in our security policy, we maintain a bug bounty program. We use this as a central point of contact for reported vulnerabilities so that they do not get unintentionally exposed for exploit, and to keep better track of them over time. BUG BOUNTY HOMEPAGE/RULES Included in that bug bounty page is a Hall of Fame, a list of users who have claimed credit for discovering bugs. It also provides a rough history of awarded bounties and vulnerabilities as well.

I somehow got it to v3.3.5 now. Please do not ask how I'm thinking about reinstalling to start cleanly.

Just a heads up 1.x is no longer supported. 2.x will be supported for another 12 months up to August 2025.

A bug in our socket.io authentication code can result in Cross-Site WebSocket Hijacking (CSWSH) Affected versions <2.8.13 & <3.1.3 We have resolved this in the latest version of NodeBB(2.8.13 & 3.1.3), and the fix has already been rolled out as a patch on all of our hosted customers. The fix is included in the latest 2.8.13 & 3.1.3 releases https://github.com/NodeBB/NodeBB/releases/tag/v2.8.13 https://github.com/NodeBB/NodeBB/releases/tag/v3.1.3

A bug in our message parsing code can result in remote code execution. Affected versions >=2.5.0 <2.8.7 We have resolved this in the latest version of NodeBB(2.8.7), and the fix has already been rolled out as a patch on all of our hosted customers. The fix is included in the latest 2.8.7 release https://github.com/NodeBB/NodeBB/releases/tag/v2.8.7. If you are not able to upgrade to the latest release, you can also cherry-pick or apply this commit manually https://github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092

It is basically the same vulnerability exploited with a different socket call. The initial fix in 2.6.1 only prevented a specific case, the fix in 2.8.1 should cover all cases. You can either upgrade to 2.8.1 or only get the changes from the specific commit.

The security advisory has now been published