diff options
author | Rod Vagg <rod@vagg.org> | 2016-09-27 23:41:11 +1000 |
---|---|---|
committer | Rod Vagg <rod@vagg.org> | 2016-09-28 10:35:20 +1000 |
commit | f5ee3fe10e9d12c29009afb1b2a81e643c917d1e (patch) | |
tree | 404b0061b172adbc1f24bce387ac7d9cb8561bff /CHANGELOG.md | |
parent | 23e1ed72824fd551c24e465c1958f65ba24eced3 (diff) | |
download | android-node-v8-f5ee3fe10e9d12c29009afb1b2a81e643c917d1e.tar.gz android-node-v8-f5ee3fe10e9d12c29009afb1b2a81e643c917d1e.tar.bz2 android-node-v8-f5ee3fe10e9d12c29009afb1b2a81e643c917d1e.zip |
2016-09-27 Version 0.10.47 (Maintenance) Release
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated. (Сковорода Никита Андреевич)
* http:
- CVE-2016-5325 - Properly validate for allowable characters in the
`reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses,
users should already be adopting try/catch here. Originally
reported independently by Evan Lucas and Romain Gaucher.
(Evan Lucas)
- Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999. Lack of proper validation may also
serve as a potential response splitting attack vector. Backported
from v4.x. (Brian White)
* openssl: Upgrade to 1.0.1u, fixes a number of defects impacting
Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded
memory growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko
and James Bunton (Atlassian). (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/71
Diffstat (limited to 'CHANGELOG.md')
-rw-r--r-- | CHANGELOG.md | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 7dd58301bd..ef096ccf23 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -101,7 +101,8 @@ release. <a href="doc/changelogs/CHANGELOG_V012.md#0.12.0">0.12.0</a><br/> </td> <td valign="top"> -<b><a href="doc/changelogs/CHANGELOG_V010.md#0.10.46">0.10.46</a></b><br/> +<b><a href="doc/changelogs/CHANGELOG_V010.md#0.10.47">0.10.47</a></b><br/> +<a href="doc/changelogs/CHANGELOG_V010.md#0.10.46">0.10.46</a><br/> <a href="doc/changelogs/CHANGELOG_V010.md#0.10.45">0.10.45</a><br/> <a href="doc/changelogs/CHANGELOG_V010.md#0.10.44">0.10.44</a><br/> <a href="doc/changelogs/CHANGELOG_V010.md#0.10.43">0.10.43</a><br/> |