diff options
author | Rod Vagg <rod@vagg.org> | 2018-11-25 21:51:58 +1100 |
---|---|---|
committer | Rod Vagg <rod@vagg.org> | 2018-11-28 11:36:34 +1100 |
commit | cc399cf5b2253dd9f3bcdeeff422059d58795d75 (patch) | |
tree | 937d76ffd376901bf95a500a970f432228def2cd /CHANGELOG.md | |
parent | 9910cc29bc14160cb4e718e61b87dc6de7cbbfaa (diff) | |
download | android-node-v8-cc399cf5b2253dd9f3bcdeeff422059d58795d75.tar.gz android-node-v8-cc399cf5b2253dd9f3bcdeeff422059d58795d75.tar.bz2 android-node-v8-cc399cf5b2253dd9f3bcdeeff422059d58795d75.zip |
2018-11-27, Version 11.3.0 (Current)
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes:
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/156/
Diffstat (limited to 'CHANGELOG.md')
-rw-r--r-- | CHANGELOG.md | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 7fa46f5e92..cdc7a9da87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,7 +28,8 @@ release. </tr> <tr> <td valign="top"> -<b><a href="doc/changelogs/CHANGELOG_V11.md#11.2.0">11.2.0</a></b><br/> +<b><a href="doc/changelogs/CHANGELOG_V11.md#11.3.0">11.3.0</a></b><br/> +<a href="doc/changelogs/CHANGELOG_V11.md#11.2.0">11.2.0</a><br/> <a href="doc/changelogs/CHANGELOG_V11.md#11.1.0">11.1.0</a><br/> <a href="doc/changelogs/CHANGELOG_V11.md#11.0.0">11.0.0</a><br/> </td> |