Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL
configuration file, from the OPENSSL_CONF environment variable or from the default
location for the current platform. Always triggering a configuration file load attempt
may allow an attacker to load compromised OpenSSL configuration into a Node.js process
if they are able to place a file in a default location.
Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes,
potentially allowing an attacker to obtain sensitive information from arbitrary memory
locations via crafted JavaScript code. This vulnerability would require an attacker to
be able to execute arbitrary JavaScript code in a Node.js process.
Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of
the inspector. This provides additional security to prevent unauthorized clients from
connecting to the Node.js process via the v8_inspector port when running with --inspect.
Since the debugging protocol allows extensive access to the internals of a running process,
and the execution of arbitrary code, it is important to limit connections to authorized
tools only. Note that the v8_inspector protocol in Node.js is still considered an
experimental feature. Vulnerability originally reported by Jann Horn.
All of these vulnerabilities are considered low-severity for Node.js users, however,
users of Node.js v6.x should upgrade at their earliest convenience.