2020-09-11 20:50:33 +08:00
# Security release process
2019-09-24 07:28:23 +08:00
2019-12-17 05:38:27 +08:00
The security release process covers the steps required to plan/implement a
security release. This document is copied into the description of the Next
2021-10-07 12:40:23 +08:00
Security Release and used to track progress on the release. It contains _**TEXT
LIKE THIS**_ which will be replaced during the release process with the
2020-02-08 03:10:27 +08:00
information described.
2019-09-24 07:28:23 +08:00
2022-01-27 01:11:15 +08:00
## Security release stewards
For each security release, a security steward will take ownership for
coordinating the steps outlined in this process. Security stewards
are nominated through an issue in the TSC repository and approved
through the regular TSC consensus process. Once approved, they
are given access to all of the resources needed to carry out the
steps listed in the process as outlined in
[security steward on/off boarding ](security-steward-on-off-boarding.md ).
The current security stewards are documented in the main Node.js
[README.md ](https://github.com/nodejs/node#security-release-stewards ).
2023-02-18 02:05:06 +08:00
| Company | Person | Release Date |
| ------------ | --------------- | ------------ |
| NearForm | Matteo | 2021-Oct-12 |
| Datadog | Bryan | 2022-Jan-10 |
| RH and IBM | Joe | 2022-Mar-18 |
| NearForm | Matteo / Rafael | 2022-Jul-07 |
| Datadog | Vladimir | 2022-Sep-23 |
| NodeSource | Juan | 2022-Nov-04 |
| RH and IBM | Michael | 2023-Feb-16 |
| Platformatic | Matteo | |
| Datadog | Bryan | |
| IBM | Joe | |
| NearForm | Rafael | |
| NodeSource | Juan | |
| Red Hat | Michael | |
2022-01-27 01:11:15 +08:00
2019-09-24 07:28:23 +08:00
## Planning
2020-02-08 03:10:27 +08:00
* [ ] Open an [issue ](https://github.com/nodejs-private/node-private ) titled
`Next Security Release` , and put this checklist in the description.
2019-09-24 07:28:23 +08:00
2019-12-17 05:38:27 +08:00
* [ ] Get agreement on the list of vulnerabilities to be addressed:
2021-10-07 12:40:23 +08:00
* _**H1 REPORT LINK**_: _**DESCRIPTION**_ (_**CVE or H1 CVE request link**_)
* v10.x, v12.x: _**LINK to PR URL**_
2020-02-08 03:10:27 +08:00
* ...
* [ ] PR release announcements in [private ](https://github.com/nodejs-private/nodejs.org-private ):
2020-09-11 20:50:33 +08:00
* (Use previous PRs as templates. Don't forget to update the site banner and
2020-02-08 03:10:27 +08:00
the date in the slug so that it will move to the top of the blog list.)
2022-07-01 01:05:54 +08:00
* (Consider using a [Vulnerability Score System ](https://www.first.org/cvss/calculator/3.1 )
to identify severity of each report)
2022-10-03 01:41:48 +08:00
* Share the patch with the reporter when applicable.
It will increase the fix accuracy.
2021-10-07 12:40:23 +08:00
* [ ] pre-release: _**LINK TO PR**_
* [ ] post-release: _**LINK TO PR**_
2022-01-07 23:41:45 +08:00
* List vulnerabilities in order of descending severity
2021-07-30 15:23:18 +08:00
* Ask the HackerOne reporter if they would like to be credited on the
security release blog page:
```text
Thank you to < name > for reporting this vulnerability.
```
2019-09-24 07:28:23 +08:00
2021-10-07 12:40:23 +08:00
* [ ] Get agreement on the planned date for the release: _**RELEASE DATE**_
2019-09-24 07:28:23 +08:00
2020-02-08 03:10:27 +08:00
* [ ] Get release team volunteers for all affected lines:
2021-10-07 12:40:23 +08:00
* v12.x: _**NAME of RELEASER(S)**_
2020-02-08 03:10:27 +08:00
* ... other lines, if multiple releasers
## Announcement (one week in advance of the planned release)
2019-09-24 07:28:23 +08:00
2021-10-05 23:18:44 +08:00
* [ ] Verify that GitHub Actions are working as normal: < https: // www . githubstatus . com /> .
2020-02-08 03:10:27 +08:00
* [ ] Check that all vulnerabilities are ready for release integration:
* PRs against all affected release lines or cherry-pick clean
* Approved
2022-10-03 01:41:48 +08:00
* (optional) Approved by the reporter
* Build and send the binary to the reporter according to its architecture
and ask for a review. This step is important to avoid insufficient fixes
between Security Releases.
2020-02-08 03:10:27 +08:00
* Pass `make test`
* Have CVEs
2021-10-07 12:40:23 +08:00
* Make sure that dependent libraries have CVEs for their issues. We should
only create CVEs for vulnerabilities in Node.js itself. This is to avoid
having duplicate CVEs for the same vulnerability.
2020-02-08 03:10:27 +08:00
* Described in the pre/post announcements
2019-09-24 07:28:23 +08:00
2021-11-04 22:29:10 +08:00
* [ ] Pre-release announcement to nodejs.org blog: _**LINK TO BLOG**_
(Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to
nodejs/nodejs.org)
2022-03-24 22:31:29 +08:00
If the security release will only contain an OpenSSL update consider
adding the following to the pre-release announcement:
```text
Since this security release will only include updates for OpenSSL, if you're using
a Node.js version which is part of a distribution which uses a system
installed OpenSSL, this Node.js security update might not concern you. You may
instead need to update your system OpenSSL libraries, please check the
security announcements for the distribution.
```
2021-10-07 12:40:23 +08:00
* [ ] Pre-release announcement [email][]: _**LINK TO EMAIL**_
* Subject: `Node.js security updates for all active release lines, Month Year`
* Body:
2021-04-19 11:50:21 +08:00
```text
The Node.js project will release new versions of all supported release lines on or shortly after Day of week, Month Day of Month, Year
For more information see: https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
```
2021-12-13 03:40:46 +08:00
(Get access from existing manager: Matteo Collina, Rodd Vagg, Michael Dawson,
2023-04-01 20:54:43 +08:00
Bryan English)
2019-09-24 07:28:23 +08:00
2021-08-06 03:16:24 +08:00
* [ ] CC `oss-security@lists.openwall.com` on pre-release
The google groups UI does not support adding a CC, until we figure
out a better way, forward the email you receive to
`oss-security@lists.openwall.com` as a CC.
2021-08-30 14:23:48 +08:00
* [ ] Create a new issue in [nodejs/tweet][]
2023-02-18 02:15:00 +08:00
2021-08-30 14:23:48 +08:00
```text
Security release pre-alert:
We will release new versions of < add versions > release lines on or shortly
after Day Month Date, Year in order to address:
2020-09-09 05:15:31 +08:00
2021-08-30 14:23:48 +08:00
- # high severity issues
- # moderate severity issues
https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
```
2021-10-07 12:40:23 +08:00
2023-02-18 02:15:00 +08:00
We specifically ask that collaborators other than the releasers and security
steward working on the security release do not tweet or publicise the release
until the tweet from the Node.js twitter handle goes out. We have often
seen tweets sent out before the release and associated announcements are
complete which may confuse those waiting for the release and also takes
away from the work the releasers have put into shipping the releases.
2020-02-08 03:10:27 +08:00
* [ ] Request releaser(s) to start integrating the PRs to be released.
2021-10-07 12:40:23 +08:00
* [ ] Notify [docker-node][] of upcoming security release date: _**LINK**_
2021-07-01 16:08:01 +08:00
```text
Heads up of Node.js security releases Day Month Year
As per the Node.js security release process this is the FYI that there is going to be a security release Day Month Year
```
2020-02-08 03:10:27 +08:00
* [ ] Notify build-wg of upcoming security release date by opening an issue
in [nodejs/build][] to request WG members are available to fix any CI issues.
2021-07-01 16:08:01 +08:00
```text
Heads up of Node.js security releases Day Month Year
As per security release process this is a heads up that there will be security releases Day Month Year and we'll need people from build to lock/unlock ci and to support and build issues we see.
```
2019-09-24 07:28:23 +08:00
2019-12-17 05:38:27 +08:00
## Release day
2019-09-24 07:28:23 +08:00
2021-02-18 03:49:52 +08:00
* [ ] [Lock CI ](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#before-the-release )
2020-02-08 03:10:27 +08:00
2019-12-17 05:38:27 +08:00
* [ ] The releaser(s) run the release process to completion.
2019-09-24 07:28:23 +08:00
2021-02-18 03:49:52 +08:00
* [ ] [Unlock CI ](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#after-the-release )
2020-02-08 03:10:27 +08:00
2021-11-04 22:29:10 +08:00
* [ ] Post-release announcement to Nodejs.org blog: _**LINK TO BLOG POST**_
* (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to
nodejs/nodejs.org)
2021-10-07 12:40:23 +08:00
* [ ] Post-release announcement in reply [email][]: _**LINK TO EMAIL**_
* CC: `oss-security@lists.openwall.com`
* Subject: `Node.js security updates for all active release lines, Month Year`
* Body:
2021-04-19 11:50:21 +08:00
```text
The Node.js project has now released new versions of all supported release lines.
For more information see: https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
```
2020-02-08 03:10:27 +08:00
2021-08-30 14:23:48 +08:00
* [ ] Create a new issue in [nodejs/tweet][]
```text
Security release:
New security releases are now available for versions < add versions > of Node.js.
2020-02-08 03:10:27 +08:00
2021-08-30 14:23:48 +08:00
https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
```
2021-10-07 12:40:23 +08:00
2020-02-08 03:10:27 +08:00
* [ ] Comment in [docker-node][] issue that release is ready for integration.
The docker-node team will build and release docker image updates.
* [ ] For every H1 report resolved:
* Close as Resolved
* Request Disclosure
* Request publication of [H1 CVE requests][]
* (Check that the "Version Fixed" field in the CVE is correct, and provide
links to the release blogs in the "Public Reference" section)
2019-09-24 07:28:23 +08:00
* [ ] PR machine-readable JSON descriptions of the vulnerabilities to the
2021-02-18 03:49:52 +08:00
[core ](https://github.com/nodejs/security-wg/tree/HEAD/vuln/core )
2021-10-07 12:40:23 +08:00
vulnerability DB. _**LINK TO PR**_
2021-07-01 21:41:15 +08:00
* For each vulnerability add a `#.json` file, one can copy an existing
[json ](https://github.com/nodejs/security-wg/blob/0d82062d917cb9ddab88f910559469b2b13812bf/vuln/core/78.json )
file, and increment the latest created file number and use that as the name
of the new file to be added. For example, `79.json` .
2019-09-24 07:28:23 +08:00
2020-02-08 03:10:27 +08:00
* [ ] Close this issue
2019-09-24 07:28:23 +08:00
* [ ] Make sure the PRs for the vulnerabilities are closed.
2022-04-30 01:55:21 +08:00
* [ ] PR in that you stewarded the release in
[Security release stewards ](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-release-process.md#security-release-stewards ).
If necessary add the next rotation of the steward rotation.
2022-09-28 06:10:27 +08:00
## When things go wrong
### Incomplete fixes
When a CVE is reported as fixed in a security release and it turns out that the
fix was incomplete, a new CVE should be used to cover subsequent fix. This
is best practice and avoids confusion that might occur if people believe
they have patched the original CVE by updating their Node.js version and
then we later change the `fixed in` value for the CVE.
### Updating CVEs
The steps to correct CVE information are:
* Go to the “CVE IDs” section in your program
sections (< https: / / hackerone . com / nodejs / cve_requests > )
* Click the “Request a CVE ID” button
* Enter the CVE ID that needs to be updated
* Include all the details that need updating within the form
* Submit the request
2020-02-08 03:10:27 +08:00
[H1 CVE requests]: https://hackerone.com/nodejs/cve_requests
2020-04-06 11:26:24 +08:00
[docker-node]: https://github.com/nodejs/docker-node/issues
2020-02-08 03:10:27 +08:00
[email]: https://groups.google.com/forum/#!forum/nodejs-sec
2020-09-11 20:50:33 +08:00
[nodejs/build]: https://github.com/nodejs/build/issues
2021-08-30 14:23:48 +08:00
[nodejs/tweet]: https://github.com/nodejs/tweet/issues