| Age | Commit message (Collapse) | Author |
|---|
|
Notable Changes:
This is a patch release to address a bad backport of the fix for "Slowloris
HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
timeout to an entire keep-alive HTTP session, resulting in prematurely
disconnected sockets.
PR-URL: https://github.com/nodejs/node/pull/24803
Refs: https://github.com/nodejs/node/pull/24796
Refs: https://github.com/nodejs/node/issues/24760
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
|
|
Notable Changes:
* **win/msi**: Revert changes to installer causing issues on Windows systems.
PR-URL: https://github.com/nodejs/node/pull/24711
|
|
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes:
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/156/
|
|
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes:
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/155/
|
|
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* Node.js: HTTP request splitting (CVE-2018-12116)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
(CVE-2018-5407)
Notable Changes:
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* Two-byte characters are now strictly disallowed for the `path` option in
HTTP client requests. Paths containing characters outside of the range
`\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
can be reverted if necessary by supplying the
`--security-revert=CVE-2018-12116` command line argument (this is not
recommended). Reported as security concern for Node.js 6 and 8 by
Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
Fünfstück applied to Node.js 10 and later.
(CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/154
|
|
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Debugger port 5858 listens on any interface by default
(CVE-2018-12120)
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* Node.js: HTTP request splitting (CVE-2018-12116)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
(CVE-2018-5407)
Notable Changes:
* debugger: Backport of https://github.com/nodejs/node/pull/8106 to
prevent the debugger from listening on `0.0.0.0`. It now defaults to
`127.0.0.1`. Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis).
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
(CVE-2018-12122 / Matteo Collina)
* Two-byte characters are now strictly disallowed for the `path` option in
HTTP client requests. Paths containing characters outside of the range
`\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
can be reverted if necessary by supplying the
`--security-revert=CVE-2018-12116` command line argument (this is not
recommended). Reported as security concern for Node.js 6 and 8 by
Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
Fünfstück applied to Node.js 10 and later.
(CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing
URLs with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/153
|
|
Notable changes:
* **assert**:
- backport some assert commits (Ruben Bridgewater)
[#23223](https://github.com/nodejs/node/pull/23223)
* **deps**:
- upgrade to libuv 1.23.2 (cjihrig)
[#23336](https://github.com/nodejs/node/pull/23336)
- V8: cherry-pick 64-bit hash seed commits (Yang Guo)
[#23274](https://github.com/nodejs/node/pull/23274)
* **http**:
- added aborted property to request (Robert Nagy)
[#20094](https://github.com/nodejs/node/pull/20094)
* **http2**:
- graduate from experimental (James M Snell)
[#22466](https://github.com/nodejs/node/pull/22466)
PR-URL: https://github.com/nodejs/node/pull/23974
|
|
Notable changes:
* deps:
* A new experimental HTTP parser (`llhttp`) is now supported.
https://github.com/nodejs/node/pull/24059
* timers:
* Fixed an issue that could cause setTimeout to stop working as
expected. https://github.com/nodejs/node/pull/24322
* Windows
* A crashing process will now show the names of stack frames if the
node.pdb file is available.
https://github.com/nodejs/node/pull/23822
* Continued effort to improve the installer's new stage that installs
native build tools.
https://github.com/nodejs/node/pull/23987,
https://github.com/nodejs/node/pull/24348
* child_process:
* On Windows the `windowsHide` option default was restored to
`false`. This means `detached` child processes and GUI apps will
once again start in a new window.
https://github.com/nodejs/node/pull/24034
* Added new collaborators:
* [oyyd](https://github.com/oyyd) - Ouyang Yadong.
https://github.com/nodejs/node/pull/24300
* [psmarshall](https://github.com/psmarshall) - Peter Marshall.
https://github.com/nodejs/node/pull/24170
* [shisama](https://github.com/shisama) - Masashi Hirano.
https://github.com/nodejs/node/pull/24136
PR-URL: https://github.com/nodejs/node/pull/24350
|
|
PR-URL: https://github.com/nodejs/node/pull/24094
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
Notable changes:
* deps
* Updated ICU to 63.1. https://github.com/nodejs/node/pull/23715
* repl
* Top-level for-await-of is now supported in the REPL.
https://github.com/nodejs/node/pull/23841
* timers
* Fixed an issue that could cause timers to enter an infinite loop.
https://github.com/nodejs/node/pull/23870
PR-URL: https://github.com/nodejs/node/pull/23922
|
|
Make the text shorter and clearer.
PR-URL: https://github.com/nodejs/node/pull/23988
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
This release marks the transition of Node.js 10.x into Long Term
Support (LTS) with the codename 'Dubnium'. The 10.x release line
now moves in to "Active LTS" and will remain so until April 2020.
After that time it will move in to "Maintenance" until end of
life in April 2021.
Notable Changes:
This release only includes minimal changes necessary to fix known
regressions prior to LTS.
PR-URL: https://github.com/nodejs/node/pull/23831
|
|
Notable changes:
* Build
* FreeBSD 10 is no longer supported.[#22617](https://github.com/nodejs/node/pull/22617)
* `child_process`
* The default value of the `windowsHide` option has been changed
to `true`. [#21316](https://github.com/nodejs/node/pull/21316)
* `console`
* `console.countReset()` will emit a warning if the timer
being reset does not exist. [#21649](https://github.com/nodejs/node/pull/21649)
* `console.time()` will no longer reset a timer if it already
exists. [#20442](https://github.com/nodejs/node/pull/20442)
* Dependencies
* V8 has been updated to 7.0.
[#22754](https://github.com/nodejs/node/pull/22754)
* `fs`
* The `fs.read()` method now requires a callback.
[#22146](https://github.com/nodejs/node/pull/22146)
* The previously deprecated `fs.SyncWriteStream` utility has been
removed.[#20735](https://github.com/nodejs/node/pull/20735)
* `http`
* The `http`, `https`, and `tls` modules now use the WHATWG URL parser
by default. [#20270](https://github.com/nodejs/node/pull/20270)
* General
* Use of `process.binding()` has been deprecated. Userland code using
`process.binding()` should re-evaluate that use and begin migrating. If
there are no supported API alternatives, please open an issue in the
Node.js GitHub repository so that a suitable alternative may be discussed.
* An experimental implementation of `queueMicrotask()` has been added.
[#22951](https://github.com/nodejs/node/pull/22951)
* Internal
* Windows performance-counter support has been removed.
[#22485](https://github.com/nodejs/node/pull/22485)
* The `--expose-http2` command-line option has been removed.
[#20887](https://github.com/nodejs/node/pull/20887)
* Timers
* Interval timers will be rescheduled even if previous interval threw
an error. [#20002](https://github.com/nodejs/node/pull/20002)
* `util`
* The WHATWG `TextEncoder` and `TextDecoder` are now globals.
[#22281](https://github.com/nodejs/node/pull/22281)
* `util.inspect()` output size is limited to 128 MB by default.
[#22756](https://github.com/nodejs/node/pull/22756)
* A runtime warning will be emitted when `NODE_DEBUG` is set for
either `http` or `http2`. [#21914](https://github.com/nodejs/node/pull/21914)
|
|
Notable changes:
* assert
* The diff output is now a tiny bit improved by sorting object
properties when inspecting the values that are compared with each
other. https://github.com/nodejs/node/pull/22788
* cli
* The options parser now normalizes `_` to `-` in all multi-word
command-line flags, e.g. `--no_warnings` has the same effect as
`--no-warnings`. https://github.com/nodejs/node/pull/23020
* Added bash completion for the `node` binary. To generate a bash
completion script, run `node --completion-bash`. The output can be
saved to a file which can be sourced to enable completion.
https://github.com/nodejs/node/pull/20713
* crypto
* Added support for PEM-level encryption.
https://github.com/nodejs/node/pull/23151
* Added an API asymmetric key pair generation. The new methods
`crypto.generateKeyPair` and `crypto.generateKeyPairSync` can be
used to generate public and private key pairs. The API supports
RSA, DSA and EC and a variety of key encodings (both PEM and DER).
https://github.com/nodejs/node/pull/22660
* fs
* Added a `recursive` option to `fs.mkdir` and `fs.mkdirSync`. If
this option is set to true, non-existing parent folders will be
automatically created. https://github.com/nodejs/node/pull/21875
* http2
* Added a `'ping'` event to `Http2Session` that is emitted whenever a
non-ack `PING` is received.
https://github.com/nodejs/node/pull/23009
* Added support for the `ORIGIN` frame.
https://github.com/nodejs/node/pull/22956
* Updated nghttp2 to 1.34.0. This adds RFC 8441 extended connect
protocol support to allow use of WebSockets over HTTP/2.
https://github.com/nodejs/node/pull/23284
* module
* Added `module.createRequireFromPath(filename)`. This new method can
be used to create a custom require function that will resolve
modules relative to the filename path.
https://github.com/nodejs/node/pull/19360
* process
* Added a `'multipleResolves'` process event that is emitted whenever
a `Promise` is attempted to be resolved multiple times, e.g. if the
`resolve` and `reject` functions are both called in a `Promise`
executor. https://github.com/nodejs/node/pull/22218
* url
* Added `url.fileURLToPath(url)` and `url.pathToFileURL(path)`. These
methods can be used to correctly convert between file: URLs and
absolute paths. https://github.com/nodejs/node/pull/22506
* util
* Added the `sorted` option to `util.inspect()`. If set to `true`,
all properties of an object and Set and Map entries will be sorted
in the returned string. If set to a function, it is used as a
compare function. https://github.com/nodejs/node/pull/22788
* The `util.instpect.custom` symbol is now defined in the global
symbol registry as `Symbol.for('nodejs.util.inspect.custom')`.
https://github.com/nodejs/node/pull/20857
* Added support for `BigInt` numbers in `util.format()`.
https://github.com/nodejs/node/pull/22097
* V8 API
* A number of V8 C++ APIs have been marked as deprecated since they
have been removed in the upstream repository. Replacement APIs
are added where necessary. https://github.com/nodejs/node/pull/23159
* Windows
* The Windows msi installer now provides an option to automatically
install the tools required to build native modules.
https://github.com/nodejs/node/pull/22645
* Workers
* Debugging support for Workers using the DevTools protocol has been
implemented. https://github.com/nodejs/node/pull/21364
* The public `inspector` module is now enabled in Workers.
https://github.com/nodejs/node/pull/22769
* Added new collaborators:
* digitalinfinity - Hitesh Kanwathirtha
PR-URL: https://github.com/nodejs/node/pull/23313
|
|
Notable changes:
* fs
* Fixed fsPromises.readdir `withFileTypes`.
https://github.com/nodejs/node/pull/22832
* http2
* Added `http2stream.endAfterHeaders` property.
https://github.com/nodejs/node/pull/22843
* util
* Added `util.types.isBoxedPrimitive(value)`.
https://github.com/nodejs/node/pull/22620
* Added new collaborators:
* boneskull (https://github.com/boneskull) - Christopher Hiller
* The Technical Steering Committee has new members:
* apapirovski (https://github.com/apapirovski) - Anatoli Papirovski
* gabrielschulhof (https://github.com/gabrielschulhof) - Gabriel Schulhof
PR-URL: https://github.com/nodejs/node/pull/22932
|
|
Notable Changes:
* async_hooks:
- rename PromiseWrap.parentId (Ali Ijaz Sheikh)
https://github.com/nodejs/node/pull/18633
- remove runtime deprecation (Ali Ijaz Sheikh)
https://github.com/nodejs/node/pull/19517
- deprecate unsafe emit{Before,After} (Ali Ijaz Sheikh)
https://github.com/nodejs/node/pull/18513
* cluster:
- add cwd to cluster.settings (cjihrig)
https://github.com/nodejs/node/pull/18399
- support windowsHide option for workers (Todd Wong)
https://github.com/nodejs/node/pull/17412
* crypto:
- allow passing null as IV unless required (Tobias Nießen)
https://github.com/nodejs/node/pull/18644
* deps:
- upgrade npm to 6.2.0 (Kat Marchán)
https://github.com/nodejs/node/pull/21592
- upgrade libuv to 1.19.2 (cjihrig)
https://github.com/nodejs/node/pull/18918
- Upgrade node-inspect to 1.11.5 (Jan Krems)
https://github.com/nodejs/node/pull/21055
* fs,net:
- support as and as+ flags in stringToFlags() (Sarat Addepalli)
https://github.com/nodejs/node/pull/18801
- emit 'ready' for fs streams and sockets (Sameer Srivastava)
https://github.com/nodejs/node/pull/19408
* http, http2:
- add options to http.createServer() (Peter Marton)
https://github.com/nodejs/node/pull/15752
- add 103 Early Hints status code (Yosuke Furukawa)
https://github.com/nodejs/node/pull/16644
- add http fallback options to .createServer (Peter Marton)
https://github.com/nodejs/node/pull/15752
* n-api:
- take n-api out of experimental (Michael Dawson)
https://github.com/nodejs/node/pull/19262
* perf_hooks:
- add warning when too many entries in the timeline (James M Snell)
https://github.com/nodejs/node/pull/18087
* src:
- add public API for managing NodePlatform (Cheng Zhao)
https://github.com/nodejs/node/pull/16981
- allow --perf-(basic-)?prof in NODE\_OPTIONS (Leko)
https://github.com/nodejs/node/pull/17600
- node internals' postmortem metadata (Matheus Marchini)
https://github.com/nodejs/node/pull/14901
* tls:
- expose Finished messages in TLSSocket (Anton Salikhmetov)
https://github.com/nodejs/node/pull/19102
* **trace_events**:
- add file pattern cli option (Andreas Madsen)
https://github.com/nodejs/node/pull/18480
* util:
- implement util.getSystemErrorName() (Joyee Cheung)
https://github.com/nodejs/node/pull/18186
PR-URL: https://github.com/nodejs/node/pull/21593
|
|
Notable changes:
* child_process:
* `TypedArray` and `DataView` values are now accepted as input by
`execFileSync` and `spawnSync`. https://github.com/nodejs/node/pull/22409
* coverage:
* Native V8 code coverage information can now be output to disk by setting the
environment variable `NODE_V8_COVERAGE` to a directory. https://github.com/nodejs/node/pull/22527
* deps:
* The bundled npm was upgraded to version 6.4.1. https://github.com/nodejs/node/pull/22591
* Changelogs:
[6.3.0-next.0](https://github.com/npm/cli/releases/tag/v6.3.0-next.0)
[6.3.0](https://github.com/npm/cli/releases/tag/v6.3.0)
[6.4.0](https://github.com/npm/cli/releases/tag/v6.4.0)
[6.4.1](https://github.com/npm/cli/releases/tag/v6.4.1)
* fs:
* The methods `fs.read`, `fs.readSync`, `fs.write`, `fs.writeSync`,
`fs.writeFile` and `fs.writeFileSync` now all accept `TypedArray` and
`DataView` objects. https://github.com/nodejs/node/pull/22150
* A new boolean option, `withFileTypes`, can be passed to to `fs.readdir` and
`fs.readdirSync`. If set to true, the methods return an array of directory
entries. These are objects that can be used to determine the type of each
entry and filter them based on that without calling `fs.stat`. https://github.com/nodejs/node/pull/22020
* http2:
* The `http2` module is no longer experimental. https://github.com/nodejs/node/pull/22466
* os:
* Added two new methods: `os.getPriority` and `os.setPriority`, allowing to
manipulate the scheduling priority of processes. https://github.com/nodejs/node/pull/22407
* process:
* Added `process.allowedNodeEnvironmentFlags`. This object can be used to
programmatically validate and list flags that are allowed in the
`NODE_OPTIONS` environment variable. https://github.com/nodejs/node/pull/19335
* src:
* Deprecated option variables in public C++ API. https://github.com/nodejs/node/pull/22515
* Refactored options parsing. https://github.com/nodejs/node/pull/22392
* vm:
* Added `vm.compileFunction`, a method to create new JavaScript functions from
a source body, with options similar to those of the other `vm` methods. https://github.com/nodejs/node/pull/21571
* Added new collaborators:
* [lundibundi](https://github.com/lundibundi) - Denys Otrishko
PR-URL: https://github.com/nodejs/node/pull/22716
|
|
Notable changes:
* buffer:
* Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
(CVE-2018-12115)
* Fix unintentional exposure of uninitialized memory in `Buffer.alloc()`
(CVE-2018-7166)
* deps:
* Upgrade to OpenSSL 1.1.0i, fixing:
- Client DoS due to large DH parameter (CVE-2018-0732)
- ECDSA key extraction via local side-channel (CVE not assigned)
* Upgrade V8 from 6.7 to 6.8 (Michaël Zasso) #21079
- Memory reduction and performance improvements, details at:
https://v8project.blogspot.com/2018/06/v8-release-68.html
* http: `http.get()` and `http.request()` (and `https` variants) can now accept
three arguments to allow for a `URL` _and_ an `options` object
(Sam Ruby) #21616
* Added new collaborators
* Sam Ruby (https://github.com/rubys)
* George Adams (https://github.com/gdams)
|
|
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-0732 (OpenSSL)
* CVE-2018-12115 (Node.js)
Notable changes:
* buffer: Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
(CVE-2018-12115)
* deps: Upgrade to OpenSSL 1.0.2p, fixing:
* Client DoS due to large DH parameter (CVE-2018-0732)
* ECDSA key extraction via local side-channel (CVE not assigned)
|
|
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-0732 (OpenSSL)
* CVE-2018-12115 (Node.js)
Notable changes:
* buffer: Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
(CVE-2018-12115)
* deps: Upgrade to OpenSSL 1.0.2p, fixing:
* Client DoS due to large DH parameter (CVE-2018-0732)
* ECDSA key extraction via local side-channel (CVE not assigned)
|
|
Notable changes:
* deps:
* Upgrade npm to 6.2.0. (https://github.com/nodejs/node/pull/21592)
* npm has moved. This release updates various URLs to point to the right
places for bugs, support, and PRs.
* Fix the regular expression matching in `xcode_emulation` in `node-gyp` to
also handle version numbers with multiple-digit major versions which would
otherwise break under use of XCode 10.
* The npm tree has been *significantly* flattened. Tarball size for the npm
package has gone from 8MB to 4.8MB.
* Changelogs:
https://github.com/npm/npm/releases/tag/v6.2.0-next.0
https://github.com/npm/npm/releases/tag/v6.2.0-next.1
https://github.com/npm/cli/releases/tag/v6.2.0)
PR-URL: https://github.com/nodejs/node/pull/22040
|
|
Notable changes:
* console:
* The `console.timeLog()` method has been implemented.
(https://github.com/nodejs/node/pull/21312)
* deps:
* Upgrade to libuv 1.22.0. (https://github.com/nodejs/node/pull/21731)
* Upgrade to ICU 62.1 (Unicode 11, CLDR 33.1).
(https://github.com/nodejs/node/pull/21728)
* http:
* Added support for passing both `timeout` and `agent` options to
`http.request`. (https://github.com/nodejs/node/pull/21204)
* inspector:
* Expose the original console API in `require('inspector').console`.
(https://github.com/nodejs/node/pull/21659)
* napi:
* Added experimental support for functions dealing with bigint numbers.
(https://github.com/nodejs/node/pull/21226)
* process:
* The `process.hrtime.bigint()` method has been implemented.
(https://github.com/nodejs/node/pull/21256)
* Added the `--title` command line argument to set the process title on
startup. (https://github.com/nodejs/node/pull/21477)
* trace_events:
* Added process_name metadata.
(https://github.com/nodejs/node/pull/21477)
* Added new collaborators
* codebytere - Shelley Vohr
PR-URL: https://github.com/nodejs/node/pull/21851
|
|
This removes unsupported versions from the table, as those might confuse
people, execially given the
> Release versions displayed in **bold** text represent the most
> recent actively supported release.
remark below.
It was inconsistent to keep some of the EOL entries in the table while
removing others (v5.x, v7.x) -- this commit takes care of that.
Instead, release status is hinted in the branch list above, highlighting
two main branches -- Current and Active LTS.
Also update the link to the Release repo.
Refs: https://github.com/nodejs/Release/pull/351
PR-URL: https://github.com/nodejs/node/pull/21612
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Jon Moss <me@jonathanmoss.me>
|
|
Notable changes:
* dns:
* An experimental promisified version of the dns module is now available. Give
it a try with `require('dns').promises`. [#21264](https://github.com/nodejs/node/pull/21264)
* fs:
* `fs.lchown` has been undeprecated now that libuv supports it. [#21498](https://github.com/nodejs/node/pull/21498)
* lib:
* `Atomics.wake` is being renamed to `Atomics.notify` in the ECMAScript
specification ([reference](https://github.com/tc39/ecma262/pull/1220)).
Since Node.js now has experimental support for worker threads, we are being
proactive and added a `notify` alias, while emitting a warning if
`wake` is used. [#21413](https://github.com/nodejs/node/pull/21413) [#21518](https://github.com/nodejs/node/pull/21518)
* n-api:
* Add API for asynchronous functions. [#17887](https://github.com/nodejs/node/pull/17887)
* util:
* `util.inspect` is now able to return a result instead of throwing when the
maximum call stack size is exceeded during inspection. [#20725](https://github.com/nodejs/node/pull/20725)
* vm:
* Add `script.createCachedData()`. This API replaces the `produceCachedData`
option of the `Script` constructor that is now deprecated. [#20300](https://github.com/nodejs/node/pull/20300)
* worker:
* Support for relative paths has been added to the `Worker` constructor. Paths
are interpreted relative to the current working directory. [#21407](https://github.com/nodejs/node/pull/21407)
PR-URL: https://github.com/nodejs/node/pull/21629
|
|
Notable changes:
* **crypto**:
* Support for `crypto.scrypt()` has been added.
[#20816](https://github.com/nodejs/node/pull/20816)
* **fs**:
* BigInt support has been added to `fs.stat` and `fs.watchFile`.
[#20220](https://github.com/nodejs/node/pull/20220)
* APIs that take `mode` as arguments no longer throw on values larger
than `0o777`. [#20636](https://github.com/nodejs/node/pull/20636)
[#20975](https://github.com/nodejs/node/pull/20975)
(Fixes: [#20498](https://github.com/nodejs/node/issues/20498))
* Fix crashes in closed event watchers.
[#20985](https://github.com/nodejs/node/pull/20985)
(Fixes: [#20297](https://github.com/nodejs/node/issues/20297))
* **Worker Threads**:
* Support for multi-threading has been added behind the
`--experimental-worker` flag in the `worker_threads` module.
This feature is *experimental* and may receive breaking changes at
any time. [#20876](https://github.com/nodejs/node/pull/20876)
PR-URL: https://github.com/nodejs/node/pull/21400
|
|
Notable changes:
* **Fixes memory exhaustion DoS** (CVE-2018-7164): Fixes a bug introduced
in 9.7.0 that increases the memory consumed when reading from the network
into JavaScript using the net.Socket object directly as a stream.
* **http2**
* (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
http2 implementation to not crash under certain circumstances during cleanup
* (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
nghttp2 to 1.32.0
* **tls** (CVE-2018-7162): Fixes Denial of Service vulnerability by updating
the TLS implementation to not crash upon receiving
* **n-api**: Prevent use-after-free in napi_delete_async_work
PR-URL: https://github.com/nodejs-private/node-private/pull/136
|
|
Notable changes:
* **Fixes memory exhaustion DoS** (CVE-2018-7164): Fixes a bug introduced
in 9.7.0 that increases the memory consumed when reading from the network
into JavaScript using the net.Socket object directly as a stream.
* **buffer** (CVE-2018-7167): Fixes Denial of Service vulnerability where
calling Buffer.fill() could hang
* **http2**
* (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
http2 implementation to not crash under certain circumstances during cleanup
* (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
nghttp2 to 1.32.0
* **tls** (CVE-2018-7162): Fixes Denial of Service vulnerability by updating
the TLS implementation to not crash upon receiving
PR-URL: https://github.com/nodejs-private/node-private/pull/135
|
|
Notable changes:
* **buffer** (CVE-2018-7167): Fixes Denial of Service vulnerability
where calling Buffer.fill() could hang
* **http2**
* (CVE-2018-7161): Fixes Denial of Service vulnerability by
updating the http2 implementation to not crash under
certain circumstances during cleanup
* (CVE-2018-1000168): Fixes Denial of Service vulnerability
by upgrading nghttp2 to 1.32.0
PR-URL: https://github.com/nodejs-private/node-private/pull/126
|
|
Notable changes:
* **buffer** (CVE-2018-7167): Fixes Denial of Service
vulnerability where calling Buffer.fill() could hang
PR-URL: https://github.com/nodejs-private/node-private/pull/134
|
|
Notable Changes:
* **deps**:
- update V8 to 6.7.288.43 (Michaël Zasso)
https://github.com/nodejs/node/pull/19989
* **stream**:
- ensure Stream.pipeline re-throws errors without callback (Blaine Bublitz)
https://github.com/nodejs/node/pull/20437
PR-URL: https://github.com/nodejs/node/pull/21167
|
|
Notable Changes:
* **deps**:
- upgrade npm to 6.1.0 (Rebecca Turner)
https://github.com/nodejs/node/pull/20190
* **fs**:
- fix reads with pos \> 4GB (Mathias Buus)
https://github.com/nodejs/node/pull/21003
* **net**:
- new option to allow IPC servers to be readable and writable
by all users (Bartosz Sosnowski)
https://github.com/nodejs/node/pull/19472
* **stream**:
- fix removeAllListeners() for Stream.Readable to work as expected
when no arguments are passed (Kael Zhang)
https://github.com/nodejs/node/pull/20924
* **Added new collaborators**
- John-David Dalton (https://github.com/jdalton)
PR-URL: https://github.com/nodejs/node/pull/21011
|
|
Node 4 has been unsupported since 2018-05-01, but the changelog was out
of date and said that Node 4 was still in LTS.
PR-URL: https://github.com/nodejs/node/pull/20926
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Weijia Wang <starkwang@126.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Khaidi Chu <i@2333.moe>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Matheus Marchini <matheus@sthima.com>
|
|
This is a follow up release to fix two regressions that were introduced
in v10.2.0.
PR-URL: https://github.com/nodejs/node/pull/20943
|
|
* addons:
- Fixed a memory leak for users of `AsyncResource` and N-API.
(Michael Dawson)
https://github.com/nodejs/node/pull/20668
* assert:
- The `error` parameter of `assert.throws()` can be an object containing
regular expressions now. (Ruben Bridgewater)
https://github.com/nodejs/node/pull/20485
* crypto:
- The `authTagLength` option has been made more flexible (Tobias Nießen)
https://github.com/nodejs/node/pull/20235)
https://github.com/nodejs/node/pull/20039
* esm:
- Builtin modules (e.g. `fs`) now provide named exports in ES6 modules.
(Gus Caplan)
https://github.com/nodejs/node/pull/20403
* http:
- Handling of `close` and `aborted` events has been made more consistent.
(Robert Nagy)
https://github.com/nodejs/node/pull/20075
https://github.com/nodejs/node/pull/20611
* module:
- add --preserve-symlinks-main (David Goldstein)
https://github.com/nodejs/node/pull/19911
* timers:
- `timeout.refresh()` has been added to the public API.
(Jeremiah Senkpiel)
https://github.com/nodejs/node/pull/20298
* Embedder support:
- Functions for creating V8 `Isolate` and `Context` objects with
Node.js-specific behaviour have been added to the API.
(Allen Yonghuang Wang)
https://github.com/nodejs/node/pull/20639
- Node.js `Environment`s clean up resources before exiting now.
(Anna Henningsen)
https://github.com/nodejs/node/pull/19377
- Support for multi-threaded embedding has been improved.
(Anna Henningsen)
https://github.com/nodejs/node/pull/20542
https://github.com/nodejs/node/pull/20539
https://github.com/nodejs/node/pull/20541
PR-URL: https://github.com/nodejs/node/pull/20724
|
|
Notable Changes:
deps:
- update node-inspect to 1.11.3 (Jan Krems)
https://github.com/nodejs/node/pull/18354
- update nghttp2 to 1.29.0 (James M Snell)
https://github.com/nodejs/node/pull/17908
http2:
- Sync with current release stream
n-api:
- Sync with current release stream
PR-URL: https://github.com/nodejs/node/pull/20478
|
|
Notable Changes:
* console:
- make console.table() use colored inspect (TSUYUSATO Kitsune)
https://github.com/nodejs/node/pull/20510
* fs:
- move fs/promises to fs.promises (cjihrig)
https://github.com/nodejs/node/pull/20504
* http:
- added aborted property to request (Robert Nagy)
https://github.com/nodejs/node/pull/20094
* n-api:
- initialize a module via a special symbol (Gabriel Schulhof)
https://github.com/nodejs/node/pull/20161
* src:
- add public API to expose the main V8 Platform (Allen Yonghuang Wang)
https://github.com/nodejs/node/pull/20447
PR-URL: https://github.com/nodejs/node/pull/20606
|
|
Notable Change:
* n-api:
- n-api has been backported to v6.x. It is being landed as an experimental interface,
and as such is landing in a Semver-Patch release. (Gabriel Schulhof)
https://github.com/nodejs/node/pull/19447
PR-URL: https://github.com/nodejs/node/pull/19996
|
|
* Assert
* Calling `assert.fail()` with more than one argument is deprecated. #70dcacd710
* Calling `assert.ok()` with no arguments will now throw. #3cd7977a42
* Calling `assert.ifError()` will now throw with any argument other than `undefined` or `null`. Previously the method would throw with any truthy value. #e65a6e81ef
* The `assert.rejects()` and `assert.doesNotReject()` methods have been added for working with async functions. #599337f43e
* Async_hooks
* Older experimental async_hooks APIs have been removed. #1cc6b993b9
* Buffer
* Uses of `new Buffer()` and `Buffer()` outside of the `node_modules` directory will now emit a runtime deprecation warning. #9d4ab90117
* `Buffer.isEncoding()` now returns `undefined` for falsy values, including an empty string. #452eed956e
* `Buffer.fill()` will throw if an attempt is made to fill with an empty `Buffer`. #1e802539b2
* Child Process
* Undefined properties of env are ignored. #38ee25e2e2, #85739b6c5b
* Console
* The `console.table()` method has been added. #97ace04492
* Crypto
* The `crypto.createCipher()` and `crypto.createDecipher()` methods have been deprecated. Please use `crypto.createCipheriv()` and `crypto.createDecipheriv()` instead. #81f88e30dd
* The `decipher.finaltol()` method has been deprecated. #19f3927d92
* The `crypto.DEFAULT_ENCODING` property has been deprecated. #6035beea93
* The `ECDH.convertKey()` method has been added. #f2e02883e7
* The `crypto.fips` property has been deprecated. #6e7992e8b8
* Dependencies
* V8 has been updated to 6.6. #9daebb48d6
* OpenSSL has been updated to 1.1.0h. #66cb29e646
* EventEmitter
* The `EventEmitter.prototype.off()` method has been added as an alias for `EventEmitter.prototype.removeListener()`. #3bb6f07d52
* File System
* The `fs.promises` API provides experimental promisified versions of the `fs` functions. #329fc78e49
* Invalid path errors are now thrown synchronously. #d8f73385e2
* The `fs.readFile()` method now partitions reads to avoid thread pool exhaustion. #67a4ce1c6e
* HTTP
* Processing of HTTP Status codes `100`, `102-199` has been improved. #baf8495078
* Multi-byte characters in URL paths are now forbidden. #b961d9fd83
* N-API
* The n-api is no longer experimental. #cd7d7b15c1
* Net
* The `'close'` event will be emitted after `'end'`. #9b7a6914a7
* Perf_hooks
* The `PerformanceObserver` class is now an `AsyncResource` and can be monitored using `async_hooks`. #009e41826f
* Trace events are now emitted for performance events. #9e509b622b
* The `performance` API has been simplified. #2ec6995555
* Performance milestone marks will be emitted as trace events. #96cb4fb795
* Process
* Using non-string values for `process.env` is deprecated. #5826fe4e79
* The `process.assert()` method is deprecated. #703e37cf3f
* REPL
* REPL now experimentally supports top-level await when using the `--experimental-repl-await` flag. #eeab7bc068
* The previously deprecated "magic mode" has been removed. #4893f70d12
* The previously deprecated `NODE_REPL_HISTORY_FILE` environment variable has been removed. #60c9ad7979
* Proxy objects are shown as Proxy objects when inspected. #90a43906ab
* Streams
* The `'readable'` event is now always deferred with nextTick. #1e0f3315c7
* A new `pipeline()` method has been provided for building end-to-data stream pipelines. #a5cf3feaf1
* Experimental support for async for-await has been added to `stream.Readable`. #61b4d60c5d
* Timers
* The `enroll()` and `unenroll()` methods have been deprecated. #68783ae0b8
* TLS
* The `tls.convertNONProtocols()` method has been deprecated. #9204a0db6e
* Support for NPN (next protocol negotiation) has been dropped. #5bfbe5ceae
* The `ecdhCurve` default is now `'auto'`. #af78840b19
* Trace Events
* A new `trace_events` top-level module allows trace event categories to be enabled/disabld at runtime. #da5d818a54
* URL
* The WHATWG URL API is now a global. #312414662b
* Util
* `util.types.is[…]` type checks have been added. #b20af8088a
* Support for bigint formatting has been added to `util.inspect()`. #39dc947409
|
|
Notable changes:
An infrastructure issue caused a non-functioning msi installer for x64 to be promoted.
The patch release is to ensure that all binaries and installers work as expected.
|
|
Notable changes:
* deps:
- Updated ICU to 61.1 (Steven R. Loomis)
[#19621](https://github.com/nodejs/node/pull/19621)
Includes CLDR 33 (many new languages and data improvements).
* fs:
- Emit 'ready' event for `ReadStream` and `WriteStream` (Sameer
Srivastava) [#19408](https://github.com/nodejs/node/pull/19408)
* n-api:
- Bump version of n-api supported (Michael Dawson)
[#19497](https://github.com/nodejs/node/pull/19497)
* net:
- Emit 'ready' event for `Socket` (Sameer Srivastava)
[#19408](https://github.com/nodejs/node/pull/19408)
* Added new collaborators
- [mafintosh](https://github.com/mafintosh) Mathias Buus
|
|
Notable changes:
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.
Note that Node.js versions 10.X and later will be built with version
4.9.X or later of the GCC compiler, and it is possible that Node.js
version 9.X may be built on the 4.9.X compiler at a later time as the
stated minimum compiler requirement for Node.js version 9.X is 4.9.4.
Refs: https://github.com/nodejs/node/blob/v9.x/BUILDING.md
PR-URL: https://github.com/nodejs/node/pull/19678
|
|
Notable changes:
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.
Note that Node.js versions 10.X and later will be built with version
4.9.X or later of the GCC compiler, and it is possible that Node.js
version 8.X may be built on the 4.9.X compiler at a later time as the
stated minimum compiler requirement for Node.js version 8.X is 4.9.4.
Refs: https://github.com/nodejs/node/blob/v8.x/BUILDING.md
PR-URL: https://github.com/nodejs/node/pull/19679
|
|
Notable changes:
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.
PR-URL: https://github.com/nodejs/node/pull/19680
|
|
Notable changes:
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.
PR-URL: https://github.com/nodejs/node/pull/19681
|
|
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
* cluster:
- Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava)
https://github.com/nodejs/node/pull/19165
* crypto:
- Expose the public key of a certificate (Hannes Magnusson)
https://github.com/nodejs/node/pull/17690
* n-api:
- Add `napi_fatal_exception` to trigger an `uncaughtException` in
JavaScript (Mathias Buus)
https://github.com/nodejs/node/pull/19337
* path:
- Fix regression in `posix.normalize` (Michaël Zasso)
https://github.com/nodejs/node/pull/19520
* stream:
- Improve stream creation performance (Brian White)
https://github.com/nodejs/node/pull/19401
* Added new collaborators
- [BethGriggs](https://github.com/BethGriggs) Beth Griggs
PR-URL: https://github.com/nodejs-private/node-private/pull/111
|
|
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/112
|
|
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/113
|
|
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
Notable Changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/110
|
|
s/9\.7\.1/9\.8\.0
PR-URL: https://github.com/nodejs/node/pull/19515
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
|
|
Notable changes:
* assert:
- From now on all error messages produced by `assert` in strict mode
will produce a error diff. (Ruben Bridgewater)
https://github.com/nodejs/node/pull/17615
- From now on it is possible to use a validation object in throws
instead of the other possibilities. (Ruben Bridgewater)
https://github.com/nodejs/node/pull/17584
* crypto:
- allow passing null as IV unless required (Tobias Nießen)
https://github.com/nodejs/node/pull/18644
* fs:
- support as and as+ flags in stringToFlags() (Sarat Addepalli)
https://github.com/nodejs/node/pull/18801
* tls:
- expose Finished messages in TLSSocket (Anton Salikhmetov)
https://github.com/nodejs/node/pull/19102
* tty:
- Add getColorDepth function to determine if terminal supports colors
(Ruben Bridgewater) https://github.com/nodejs/node/pull/17615
* util:
- add util.inspect compact option (Ruben Bridgewater)
https://github.com/nodejs/node/pull/17576
* **Added new collaborators**
- [watson](https://github.com/watson) Thomas Watson
PR-URL: https://github.com/nodejs/node/pull/19428
|
