Skip to content
  • 4 Votes
    2 Posts
    966 Views
    julianJ

    Additionally, a note about how our disclosures are reported.

    As outlined in our security policy, we maintain a bug bounty program. We use this as a central point of contact for reported vulnerabilities so that they do not get unintentionally exposed for exploit, and to keep better track of them over time.

    👉 BUG BOUNTY HOMEPAGE/RULES

    Included in that bug bounty page is a Hall of Fame, a list of users who have claimed credit for discovering bugs. It also provides a rough history of awarded bounties and vulnerabilities as well.

  • 1 Votes
    16 Posts
    607 Views
    FrankMF

    I somehow got it to v3.3.5 now. Please do not ask how 😉 I'm thinking about reinstalling to start cleanly.

  • 5 Votes
    1 Posts
    668 Views
    barisB

    We recently received some inquiries about how long we will support 1.x and 2.x with security fixes.

    1.x will be supported for another 12 months up until August 2024 2.x will be supported for another 24 months up until August 2025

    We also released https://github.com/NodeBB/NodeBB/releases/tag/v2.8.16 and https://github.com/NodeBB/NodeBB/releases/tag/v1.19.12 containing some of the fixes from the 3.x line. If you are not able to upgrade to 3.x we encourage you to upgrade to these releases.

  • 4 Votes
    1 Posts
    217 Views
    barisB

    A bug in our socket.io authentication code can result in Cross-Site WebSocket Hijacking (CSWSH)

    Affected versions <2.8.13 & <3.1.3

    We have resolved this in the latest version of NodeBB(2.8.13 & 3.1.3), and the fix has already been rolled out as a patch on all of our hosted customers.

    The fix is included in the latest 2.8.13 & 3.1.3 releases
    https://github.com/NodeBB/NodeBB/releases/tag/v2.8.13
    https://github.com/NodeBB/NodeBB/releases/tag/v3.1.3

  • 2 Votes
    1 Posts
    218 Views
    barisB

    A bug in our message parsing code can result in remote code execution.

    Affected versions >=2.5.0 <2.8.7

    We have resolved this in the latest version of NodeBB(2.8.7), and the fix has already been rolled out as a patch on all of our hosted customers.

    The fix is included in the latest 2.8.7 release https://github.com/NodeBB/NodeBB/releases/tag/v2.8.7.

    If you are not able to upgrade to the latest release, you can also cherry-pick or apply this commit manually https://github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092

  • 3 Votes
    4 Posts
    491 Views
    barisB

    It is basically the same vulnerability exploited with a different socket call. The initial fix in 2.6.1 only prevented a specific case, the fix in 2.8.1 should cover all cases.
    You can either upgrade to 2.8.1 or only get the changes from the specific commit.

  • 2 Votes
    2 Posts
    537 Views
    julianJ

    The security advisory has now been published