Skip to content

Releases: nuts-foundation/nuts-node

v6.2.10

Choose a tag to compare

@reinkrul reinkrul released this 13 Jul 06:47
0b7d3a5
  • Upgrade Go to 1.26.5 to address GO-2026-5856 (de-anonymization of Encrypted Client Hello (ECH) handshakes: PSK identities were disclosed in the unencrypted client hello, allowing passive network observers to de-anonymize sessions).

Full Changelog: v6.2.9...v6.2.10

v5.4.37

Choose a tag to compare

@reinkrul reinkrul released this 13 Jul 06:44
deea963
  • Upgrade Go to 1.26.5 to address GO-2026-5856 (de-anonymization of Encrypted Client Hello (ECH) handshakes: PSK identities were disclosed in the unencrypted client hello, allowing passive network observers to de-anonymize sessions).

Full Changelog: v5.4.36...v5.4.37

v6.2.9

Choose a tag to compare

@reinkrul reinkrul released this 01 Jul 08:22
d6afd52

Upgrade github.com/jackc/pgx/v5 to v5.9.2 to address GO-2026-5004 (SQL injection in the non-default simple protocol when a dollar-quoted string literal contains an attacker-controlled value that looks like a placeholder).

Full Changelog: v6.2.8...v6.2.9

v5.4.36

Choose a tag to compare

@reinkrul reinkrul released this 01 Jul 08:23
e56a10b

Upgrade github.com/jackc/pgx/v5 to v5.9.2 to address GO-2026-5004 (SQL injection in the non-default simple protocol when a dollar-quoted string literal contains an attacker-controlled value that looks like a placeholder).

Full Changelog: v5.4.35...v5.4.36

v6.2.8

Choose a tag to compare

@reinkrul reinkrul released this 04 Jun 09:09
3e7fbc4

Upgrade Go to 1.26.4 to address GO-2026-5037 (quadratic-time DoS in crypto/x509 VerifyHostname with large DNS SAN lists, CVE-2026-27145) and GO-2026-5039 (error message injection in net/textproto, CVE-2026-42507).

Full Changelog: v6.2.7...v6.2.8

v5.4.35

Choose a tag to compare

@reinkrul reinkrul released this 04 Jun 09:09
14033d6

Upgrade Go to 1.26.4 to address GO-2026-5037 (quadratic-time DoS in crypto/x509 VerifyHostname with large DNS SAN lists, CVE-2026-27145) and GO-2026-5039 (error message injection in net/textproto, CVE-2026-42507).

Full Changelog: v5.4.34...v5.4.35

v6.2.7

Choose a tag to compare

@reinkrul reinkrul released this 27 May 09:42
9221c42

Security release addressing the following advisories:

Advisory Package Description
GO-2026-5018 golang.org/x/crypto/ssh DoS during public key authentication: unbounded RSA modulus / DSA parameter size in the RSA/DSA public key parsers caused multi-minute CPU consumption during signature verification.
GO-2026-5026 golang.org/x/net/idna Privilege escalation: ToASCII/ToUnicode incorrectly accepted Punycode-encoded labels that decode to ASCII-only labels, allowing bypass of hostname-based checks.
GO-2026-4945 github.com/go-jose/go-jose/v4 DoS: panic when decrypting maliciously crafted JWE tokens.
GO-2026-4985 go.opentelemetry.io/otel/exporters/otlp/...http DoS: OTLP HTTP exporters did not limit response body size; a malicious or misconfigured collector could trigger OOM.

Full Changelog: v6.2.6...v6.2.7

v5.4.34

Choose a tag to compare

@reinkrul reinkrul released this 27 May 09:41
2b4063d

Security release addressing the following advisories:

Advisory Package Description
GO-2026-5018 golang.org/x/crypto/ssh DoS during public key authentication: unbounded RSA modulus / DSA parameter size in the RSA/DSA public key parsers caused multi-minute CPU consumption during signature verification.
GO-2026-5026 golang.org/x/net/idna Privilege escalation: ToASCII/ToUnicode incorrectly accepted Punycode-encoded labels that decode to ASCII-only labels, allowing bypass of hostname-based checks.
GO-2026-4945 github.com/go-jose/go-jose/v4 DoS: panic when decrypting maliciously crafted JWE tokens.

Full Changelog: v5.4.33...v5.4.34

v6.2.6

Choose a tag to compare

@reinkrul reinkrul released this 18 May 10:10
c9c0557
  • Exclude retraction presentations from Discovery Service search results (backport of #4193).
  • Make HTTP error handler idempotent on already-committed responses to prevent double-write attempts (backport of #4243).

Full Changelog: v6.2.5...v6.2.6

v6.2.5

Choose a tag to compare

@reinkrul reinkrul released this 11 May 08:49
1543472
  • Update Alpine base image to 3.23.4 to pick up musl, OpenSSL and zlib security fixes.
  • Upgrade Go to 1.26.3 and golang.org/x/net to v0.53.0 to address GO-2026-4986, GO-2026-4982, GO-2026-4980, GO-2026-4977, GO-2026-4971 and GO-2026-4918 (XSS in html/template, quadratic concatenation in net/mail, panic in net on Windows NUL byte, infinite loop in HTTP/2 transport).

Full Changelog: v6.2.4...v6.2.5