2018-11-27, Version 11.3.0 (Current)

This is a security release. All Node.js users should consult the security
release summary at:

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  * Node.js: Hostname spoofing in URL parser for javascript protocol
    (CVE-2018-12123)
  * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)

Notable Changes:

* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
  * Headers received by HTTP servers must not exceed 8192 bytes in total to
    prevent possible Denial of Service attacks. Reported by Trevor Norris.
    (CVE-2018-12121 / Matteo Collina)
  * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
    value can be adjusted with `server.headersTimeout`. Where headers are not
    completely received within this period, the socket is destroyed on the next
    received chunk. In conjunction with `server.setTimeout()`, this aids in
    protecting against excessive resource retention and possible Denial of
    Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
  with `url.parse()` with the `'javascript:'` protocol. Reported by
  Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/156/

0 files changed, 0 insertions, 0 deletions