blog: Add security notice to v0.8.17 post

author isaacs <i@izs.me>

Thu, 10 Jan 2013 01:21:16 +0000 (17:21 -0800)

committer isaacs <i@izs.me>

Thu, 10 Jan 2013 01:21:16 +0000 (17:21 -0800)
author isaacs <i@izs.me>
Thu, 10 Jan 2013 01:21:16 +0000 (17:21 -0800)
committer isaacs <i@izs.me>
Thu, 10 Jan 2013 01:21:16 +0000 (17:21 -0800)
diff --git a/doc/blog/release/v0.8.17.md b/doc/blog/release/v0.8.17.md

index abd61ac..a1efb50 100644 (file)
--- a/doc/blog/release/v0.8.17.md
+++ b/doc/blog/release/v0.8.17.md
@@ -4,6 +4,18 @@ slug: node-v0-8-17-stable
  category: release
  version: 0.8.17
  
+This release addresses a potential security vulnerability.
+
+If you do not use TypedArrays, then you're fine (but should still
+upgrade for other reasons, like better performance and npm
+peerDependencies.)
+
+If you use TypedArrays, you should upgrade to v0.8.17 as soon as
+possible.  If user input can affect the size parameter in a
+TypedArray, an integer overflow vulnerability could allow an attacker
+to write to areas of memory outside the intended buffer.  Please
+upgrade ASAP.
+
  2012.01.09, Version 0.8.17 (Stable)
  
  * npm: Upgrade to v1.2.0