doc: provide info on impact of recent vulns

PR-URL: #1547 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Yang Guo <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Mandeep Singh <[email protected]> Reviewed-By: Vladimir de Turckheim <[email protected]> Reviewed-By: Yang Guo <[email protected]> Reviewed-By: Tierney Cyren <[email protected]>
nodejs · Jan 9, 2018 · cdc4144 · cdc4144
1 parent 85673cc
commit cdc4144
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 2 deletions.
diff --git a/build.js b/build.js
@@ -270,7 +270,8 @@ function getSource (callback) {
         },
         banner: {
           visible: true,
-          link: 'https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/'
+          text: 'Spectre and Meltdown in the context of Node.js.',
+          link: 'https://nodejs.org/en/blog/vulnerability/jan-2018-spectre-meltdown/'
         }
       }
     }

diff --git a/layouts/index.hbs b/layouts/index.hbs
@@ -14,7 +14,7 @@
 
         {{#if project.banner.visible}}
           <p class="home-version home-version-banner">
-            <a href="{{ project.banner.link }}">{{{ labels.banner }}}</a>
+            <a href="{{ project.banner.link }}">{{#if project.banner.text}}{{{ project.banner.text }}}{{else}}{{{ labels.banner }}}{{/if}}</a>
           </p>
         {{/if}}
 

diff --git a/locale/en/blog/vulnerability/jan-2018-spectre-meltdown.md b/locale/en/blog/vulnerability/jan-2018-spectre-meltdown.md
@@ -0,0 +1,42 @@
+---
+date: 2018-01-08T17:30:00.617Z
+category: vulnerability
+title: Meltdown and Spectre - Impact On Node.js
+slug: jan-2018-spectre-meltdown
+layout: blog-post.hbs
+author: Michael Dawson
+---
+
+# Summary
+
+Project zero has recently announced some new attacks that have received a
+lot of attention:
+https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html.
+
+The risk from these attacks to systems running Node.js resides in the
+systems in which your Node.js applications run, as opposed to the
+Node.js runtime itself. The trust model for Node.js assumes you are
+running trusted code and does not provide any separation between code
+running within the runtime itself. Therefore, untrusted code that
+would be necessary to execute these attacks in Node.js could already
+affect the execution of your Node.js applications in ways that
+are more severe than possible through these new attacks.
+
+This does not mean that you don't need to protect yourself from
+these new attacks when running Node.js applications. If an attacker
+manages to run malicious code on an upatched OS (whether using
+JavaScript or something else) they may be able to access memory and or
+data that they should not have access to.  In order to protect yourself
+from these cases, apply the security patches for your operating
+system. You do not need to update the Node.js runtime.
+
+# Contact and future updates
+
+The current Node.js security policy can be found at https://nodejs.org/en/security/.
+
+Please contact [email protected] if you wish to report a vulnerability in Node.js.
+
+Subscribe to the low-volume announcement-only nodejs-sec mailing list at
+https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date
+on security vulnerabilities and security-related releases of Node.js and
+the projects maintained in the [nodejs GitHub organisation](https://github.com/nodejs/).