Fixes for the following CVEs are included in this release:
- CVE-2018-7158
- CVE-2018-7159
- CVE-2018-7160
Notable Changes
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A
malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP connections
to localhost or to hosts on the local network, potentially to an open
inspector port as a debugger, therefore gaining full code execution
access. The inspector now only allows connections that have a browser
Host value of localhost or localhost6.
- Fix for 'path' module regular expression denial of service
(CVE-2018-7158): A regular expression used for parsing POSIX paths
could be used to cause a denial of service if an attacker were able to
have a specially crafted path string passed through one of the
impacted 'path' module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159):
The Node.js HTTP parser allowed for spaces inside Content-Length
header values. Such values now lead to rejected connections in the
same way as non-numeric values.
- Update root certificates: 5 additional root certificates have been
added to the Node.js binary and 30 have been removed.
- build: fix npm install with --shared
- build: building with python 3 is now supported
- src: v8 options can be specified with either '_' or '-' in NODE_OPTIONS
assert:
- assert.fail() can now take one or two arguments
crypto:
- add sign/verify support for RSASSA-PSS
deps:
- upgrade openssl sources to 1.0.2m
- upgrade libuv to 1.15.0
fs:
- Add support for fs.write/fs.writeSync(fd, buffer, cb) and
fs.write/fs.writeSync(fd, buffer, offset, cb) as documented
inspector:
- enable --inspect-brk
process:
- add --redirect-warnings command line argument
src:
- allow CLI args in env with NODE_OPTIONS
- --abort-on-uncaught-exception in NODE_OPTIONS
- allow --tls-cipher-list in NODE_OPTIONS
- use SafeGetenv() for NODE_REDIRECT_WARNINGS
test:
- remove common.fail()
zlib:
- CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
error to be raised when a raw deflate stream is initialized with
windowBits set to 8. On some versions this crashes Node and you cannot
recover from it, while on some versions it throws an exception.
Node.js will now gracefully set windowBits to 9 replicating the legacy
behavior to avoid a DOS vector.
- build: Codesigning is fixed on macOS
- deps: Snapshots are turned back on!!!
- path: win32 volume-relative paths are working again!
- tools: v6.x can now build with ICU 59
### Notable Changes
- configure:
- add mips64el to valid_arch
- crypto:
- Updated root certificates based on NSS 3.30
- deps:
- upgrade OpenSSL to version 1.0.2.l
- http:
- parse errors are now reported when NODE_DEBUG=http
- Agent construction can now be envoked without `new`
- zlib:
- node will now throw an Error when zlib rejects the value of
windowBits, instead of crashing
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node up to
collision attacks which could result in a Denial of Service. We have
temporarily disabled snapshots until a more robust solution is found
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which
is used for parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response packet
was crafted in a particular way. This patch checks that there is
enough data for the required elements of an NAPTR record (2 int16, 3
bytes for string lengths) before processing a record.
Notable Changes
build:
- support for building mips64el
cluster:
- disconnect() now returns a reference to the disconnected worker.
crypto:
- ability to select cert store at runtime
- Use system CAs instead of using bundled ones
- The Decipher methods setAuthTag() and setAAD now return this.
- adding support for OPENSSL_CONF again
- make LazyTransform compabile with Streams1
deps:
- upgrade libuv to 1.11.0
dns:
- Implemented {ttl: true} for resolve4() and resolve6().
process:
- add NODE_NO_WARNINGS environment variable
readline:
- add option to stop duplicates in history
src:
- support "--" after "-e" as end-of-options
tls:
- new tls.TLSSocket() supports sec ctx options
- Allow obvious key/passphrase combinations.
- module: The module loading global fallback to the Node executable's
directory now works correctly on Windows.
- src: fix base64 decoding in rare edgecase
- tls: fix rare segmentation faults when using TLS
- crypto: fix memory leak if certificate is revoked
- upgrade zlib to 1.2.11
- backport V8 fixes for spread syntax regression causing segfaults
- repl: Revert commit that broke REPL display on Windows
- performance: The performance of several APIs has been improved.
- Buffer.compare() is up to 35% faster on average.
- buffer.toJSON() is up to 2859% faster on average.
- fs.*statSync() functions are now up to 9.3% faster on average.
- os.loadavg is up to 151% faster.
- process.memoryUsage() is up to 34% faster.
- querystring.unescape() for Buffers is 15% faster on average.
- querystring.stringify() is up to 7.8% faster on average.
- querystring.parse() is up to 21% faster on average.
- IPC: Batched writes have been enabled for process IPC on platforms
that support Unix Domain Sockets.
- Performance gains may be up to 40% for some workloads.
- child_process: spawnSync now returns a null status when child is
terminated by a signal.
- This fixes the behavior to act like spawn() does.
- http:
- Control characters are now always rejected when using
http.request().
- Debug messages have been added for cases when headers contain
invalid values.
- node: Heap statistics now support values larger than 4GB.
- timers: Timer callbacks now always maintain order when interacting
with domain error handling.
This is a special release that contains 0 commits. While promoting
additional platforms for v6.9.3 after the release, the tarballs on the
release server were overwritten and now have different shasums. In order
to remove any ambiguity around the release we have opted to do a semver
patch release with no changes.
Notable Changes
- build: shared library support is now working for AIX builds
- deps:
- npm: upgrade npm to 3.10.10
- V8: Destructuring of arrow function arguments via computed property
no longer throws
- inspector: /json/version returns object, not an object wrapped
in an array
- module: using --debug-brk and --eval together now works as expected
- process: improve performance of nextTick up to 20%
- repl:
- the division operator will no longer be accidentally parsed as regex
- improved support for generator functions
- timers: Re canceling a cancelled timers will no longer throw
- buffer: coerce slice parameters consistently
- deps:
- npm: upgrade npm to 3.10.9
- V8: Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream
- cherry pick 7166503 from upstream v8
- gtest: the test reporter now outputs tap comments as yamlish
- inspector: inspector now prompts user to use 127.0.0.1 rather
than localhost
- tls: fix memory leak when writing data to TLSWrap instance
during handshake
Node.js is an evented I/O framework for the V8 JavaScript engine. It is
intended for writing scalable network programs such as web servers.
This package holds the 6.x LTS release.
