Releases: nuts-foundation/nuts-node
Release list
v6.2.10
- Upgrade Go to 1.26.5 to address GO-2026-5856 (de-anonymization of Encrypted Client Hello (ECH) handshakes: PSK identities were disclosed in the unencrypted client hello, allowing passive network observers to de-anonymize sessions).
Full Changelog: v6.2.9...v6.2.10
v5.4.37
- Upgrade Go to 1.26.5 to address GO-2026-5856 (de-anonymization of Encrypted Client Hello (ECH) handshakes: PSK identities were disclosed in the unencrypted client hello, allowing passive network observers to de-anonymize sessions).
Full Changelog: v5.4.36...v5.4.37
v6.2.9
Upgrade github.com/jackc/pgx/v5 to v5.9.2 to address GO-2026-5004 (SQL injection in the non-default simple protocol when a dollar-quoted string literal contains an attacker-controlled value that looks like a placeholder).
Full Changelog: v6.2.8...v6.2.9
v5.4.36
Upgrade github.com/jackc/pgx/v5 to v5.9.2 to address GO-2026-5004 (SQL injection in the non-default simple protocol when a dollar-quoted string literal contains an attacker-controlled value that looks like a placeholder).
Full Changelog: v5.4.35...v5.4.36
v6.2.8
Upgrade Go to 1.26.4 to address GO-2026-5037 (quadratic-time DoS in crypto/x509 VerifyHostname with large DNS SAN lists, CVE-2026-27145) and GO-2026-5039 (error message injection in net/textproto, CVE-2026-42507).
Full Changelog: v6.2.7...v6.2.8
v5.4.35
Upgrade Go to 1.26.4 to address GO-2026-5037 (quadratic-time DoS in crypto/x509 VerifyHostname with large DNS SAN lists, CVE-2026-27145) and GO-2026-5039 (error message injection in net/textproto, CVE-2026-42507).
Full Changelog: v5.4.34...v5.4.35
v6.2.7
Security release addressing the following advisories:
| Advisory | Package | Description |
|---|---|---|
| GO-2026-5018 | golang.org/x/crypto/ssh |
DoS during public key authentication: unbounded RSA modulus / DSA parameter size in the RSA/DSA public key parsers caused multi-minute CPU consumption during signature verification. |
| GO-2026-5026 | golang.org/x/net/idna |
Privilege escalation: ToASCII/ToUnicode incorrectly accepted Punycode-encoded labels that decode to ASCII-only labels, allowing bypass of hostname-based checks. |
| GO-2026-4945 | github.com/go-jose/go-jose/v4 |
DoS: panic when decrypting maliciously crafted JWE tokens. |
| GO-2026-4985 | go.opentelemetry.io/otel/exporters/otlp/...http |
DoS: OTLP HTTP exporters did not limit response body size; a malicious or misconfigured collector could trigger OOM. |
Full Changelog: v6.2.6...v6.2.7
v5.4.34
Security release addressing the following advisories:
| Advisory | Package | Description |
|---|---|---|
| GO-2026-5018 | golang.org/x/crypto/ssh |
DoS during public key authentication: unbounded RSA modulus / DSA parameter size in the RSA/DSA public key parsers caused multi-minute CPU consumption during signature verification. |
| GO-2026-5026 | golang.org/x/net/idna |
Privilege escalation: ToASCII/ToUnicode incorrectly accepted Punycode-encoded labels that decode to ASCII-only labels, allowing bypass of hostname-based checks. |
| GO-2026-4945 | github.com/go-jose/go-jose/v4 |
DoS: panic when decrypting maliciously crafted JWE tokens. |
Full Changelog: v5.4.33...v5.4.34
v6.2.6
- Exclude retraction presentations from Discovery Service search results (backport of #4193).
- Make HTTP error handler idempotent on already-committed responses to prevent double-write attempts (backport of #4243).
Full Changelog: v6.2.5...v6.2.6
v6.2.5
- Update Alpine base image to 3.23.4 to pick up musl, OpenSSL and zlib security fixes.
- Upgrade Go to 1.26.3 and
golang.org/x/netto v0.53.0 to address GO-2026-4986, GO-2026-4982, GO-2026-4980, GO-2026-4977, GO-2026-4971 and GO-2026-4918 (XSS inhtml/template, quadratic concatenation innet/mail, panic inneton Windows NUL byte, infinite loop in HTTP/2 transport).
Full Changelog: v6.2.4...v6.2.5