doc: provide info on impact of recent vulns

mhdawson · mhdawson · commit cdc41446d5cd · 2018-01-09T13:52:46.000-05:00
PR-URL: #1547 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yang Guo <yangguo@chromium.org> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Mandeep Singh <daxlab@users.noreply.github.com> Reviewed-By: Vladimir de Turckheim <vdeturckheim@users.noreply.github.com> Reviewed-By: Yang Guo <yangguo@chromium.org> Reviewed-By: Tierney Cyren <hello@bnb.im>
diff --git a/build.js b/build.js
@@ -270,7 +270,8 @@ function getSource (callback) {
         },
         banner: {
           visible: true,
-          link: 'https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/'
+          text: 'Spectre and Meltdown in the context of Node.js.',
+          link: 'https://nodejs.org/en/blog/vulnerability/jan-2018-spectre-meltdown/'
         }
       }
     }
diff --git a/layouts/index.hbs b/layouts/index.hbs
@@ -14,7 +14,7 @@
 
         {{#if project.banner.visible}}
           <p class="home-version home-version-banner">
-            <a href="{{ project.banner.link }}">{{{ labels.banner }}}</a>
+            <a href="{{ project.banner.link }}">{{#if project.banner.text}}{{{ project.banner.text }}}{{else}}{{{ labels.banner }}}{{/if}}</a>
           </p>
         {{/if}}
 
diff --git a/locale/en/blog/vulnerability/jan-2018-spectre-meltdown.md b/locale/en/blog/vulnerability/jan-2018-spectre-meltdown.md
@@ -0,0 +1,42 @@
+---
+date: 2018-01-08T17:30:00.617Z
+category: vulnerability
+title: Meltdown and Spectre - Impact On Node.js
+slug: jan-2018-spectre-meltdown
+layout: blog-post.hbs
+author: Michael Dawson
+---
+
+# Summary
+
+Project zero has recently announced some new attacks that have received a
+lot of attention:
+https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html.
+
+The risk from these attacks to systems running Node.js resides in the
+systems in which your Node.js applications run, as opposed to the
+Node.js runtime itself. The trust model for Node.js assumes you are
+running trusted code and does not provide any separation between code
+running within the runtime itself. Therefore, untrusted code that
+would be necessary to execute these attacks in Node.js could already
+affect the execution of your Node.js applications in ways that
+are more severe than possible through these new attacks.
+
+This does not mean that you don't need to protect yourself from
+these new attacks when running Node.js applications. If an attacker
+manages to run malicious code on an upatched OS (whether using
+JavaScript or something else) they may be able to access memory and or
+data that they should not have access to.  In order to protect yourself
+from these cases, apply the security patches for your operating
+system. You do not need to update the Node.js runtime.
+
+# Contact and future updates
+
+The current Node.js security policy can be found at https://nodejs.org/en/security/.
+
+Please contact security@nodejs.org if you wish to report a vulnerability in Node.js.
+
+Subscribe to the low-volume announcement-only nodejs-sec mailing list at
+https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date
+on security vulnerabilities and security-related releases of Node.js and
+the projects maintained in the [nodejs GitHub organisation](https://github.com/nodejs/).

Original file line number	Diff line number	Diff line change
`@@ -270,7 +270,8 @@ function getSource (callback) {`
`270`	`270`	`},`
`271`	`271`	`banner: {`
`272`	`272`	`visible: true,`
`273`		`- link: 'https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/'`
	`273`	`+ text: 'Spectre and Meltdown in the context of Node.js.',`
	`274`	`+ link: 'https://nodejs.org/en/blog/vulnerability/jan-2018-spectre-meltdown/'`
`274`	`275`	`}`
`275`	`276`	`}`
`276`	`277`	`}`