zlib:
- CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
error to be raised when a raw deflate stream is initialized with
windowBits set to 8. On some versions this crashes Node and you cannot
recover from it, while on some versions it throws an exception.
Node.js will now gracefully set windowBits to 9 replicating the legacy
behavior to avoid a DOS vector.
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node up to
collision attacks which could result in a Denial of Service. We have
temporarily disabled snapshots until a more robust solution is found
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which
is used for parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response packet
was crafted in a particular way. This patch checks that there is
enough data for the required elements of an NAPTR record (2 int16, 3
bytes for string lengths) before processing a record.
- module: The module loading global fallback to the Node executable's
directory now works correctly on Windows.
- src: fix base64 decoding in rare edgecase
- tls: fix rare segmentation faults when using TLS
- buffer: The performance of .toJSON() is now up to 2859% faster on
average.
- IPC: Batched writes have been enabled for process IPC on platforms
that support Unix Domain Sockets.
- Performance gains may be up to 40% for some workloads.
- http: Control characters are now always rejected when using
http.request().
- node: Heap statistics now support values larger than 4GB.
This is a special release that contains 0 commits. While promoting
additional platforms for v4.7.1 after the release, the tarballs on
the release server were overwritten and now have different shasums.
In order to remove any ambiguity around the release we have opted
to do a semver patch release with no changes.
Notable Changes
- build: shared library support is now working for AIX builds
- repl: Passing options to the repl will no longer overwrite
defaults
- timers: Re canceling a cancelled timers will no longer throw
The SEMVER-MINOR changes include:
- build: export openssl symbols on Windows making it possible to
build addons linking against the bundled version of openssl
- debugger: make listen address configurable in the debugger server
- dgram: generalized send queue to handle close fixing a potential
throw when dgram socket is closed in the listening event handler.
- http: Introduce the 451 status code "Unavailable For Legal Reasons"
- tls: introduce secureContext for tls.connect which is useful for
caching client certificates, key, and CA certificates.
Notable SEMVER-PATCH changes include:
build:
- introduce the configure --shared option for embedders
- gtest: the test reporter now outputs tap comments as yamlish
- src: node no longer aborts when c-ares initialization fails
- tls: fix memory leak when writing data to TLSWrap instance during
handshake
- build: It is now possible to build the documentation from the release
tarball
- buffer: Buffer.alloc() will no longer incorrectly return a zero filled
buffer when an encoding is passed
- deps: upgrade npm in LTS to 2.15.11
- repl: Enable tab completion for global properties
- url: url.format() will now encode all # in search
- openssl: Remove support for loading dynamic third-party engine
modules. An attacker may be able to hide malicious code to be
inserted into Node.js at runtime by masquerading as one of the
dynamic engine modules.
- http: CVE-2016-5325 - Properly validate for allowable characters
in the reason argument in ServerResponse#writeHead().
- buffer: Zero-fill excess bytes in new Buffer objects created
with Buffer.concat() while providing a totalLength parameter
that exceeds the total length of the original Buffer objects
being concatenated.
- tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid
wildcard certificate for its hostname due to improper validation
of *. in the wildcard string.
Notable Changes
- debugger:
* All properties of an array (aside from length) can now be printed
in the repl
- npm:
* Upgrade npm to 2.15.8
- stream:
* Fix for a bug that became more prevalent with the stream changes
that landed in v4.4.5.
- V8:
* Fix for a bug in crankshaft that was causing crashes on arm64
* Add missing classes to postmortem info such as JSMap and JSSet
buffer:
- Buffer no longer errors if you call lastIndexOf with a search
term longer than the buffer
contextify:
- Context objects are now properly garbage collected, this solves
a problem some individuals were experiencing with extreme memory
growth
deps:
- update npm to 2.15.5
http:
- Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999
- deps: Fix --gdbjit for embedders. Backported from v8 upstream.
- etw: Correctly display descriptors for ETW events 9 and 23 on
the windows platform.
- querystring: Restore throw when attempting to stringify bad
surrogate pair.
4.4.2
* https: Under certain conditions ssl sockets may have been
causing a memory leak when keepalive is enabled. This is no
longer the case.
* lib: The way that we were internally passing arguments was
causing a potential leak. By copying the arguments into an
array we can avoid this.
* npm: Upgrade to v2.15.1. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an
attacker to set up a server that could collect tokens from
users of the command-line interface. Authentication tokens
have previously been sent with every request made by the
CLI for logged-in users, regardless of the destination of
the request. This update fixes this by only including those
tokens for requests made against the registry or registries
used for the current install.
* repl: Previously if you were using the repl in strict mode
the column number would be wrong in a stack trace. This is
no longer an issue.
4.4.1
* build:
- Updated Logos for the OSX + Windows installers
- New option to select your VS Version in the Windows installer
- Support Visual C++ Build Tools 2015
* tools: Gyp now works on OSX without XCode
Notable changes
- deps: An update to v8 that introduces a new flag
--perf_basic_prof_only_functions
- http: A new feature in http(s) agent that catches errors on keep
alived connections
- src: Better support for Big-Endian systems
- tls: A new feature that allows you to pass common SSL options
to tls.createSecurePair
- tools: a new flag --prof-process which will execute the tick
processor on the provided isolate files
- build: Support python path that includes spaces. This should be
of particular interest to our Windows users who may have python
living in c:/Program Files
- https: A potential fix for #3692 HTTP/HTTPS client requests
throwing EPROTO
- installer: More readable profiling information from isolate
tick logs
- npm: upgrade to npm 2.14.20
- process: Add support for symbols in event emitters. Symbols
didn't exist when it was written
- querystring: querystring.parse() is now 13-22% faster!
- streams: performance improvements for moving small buffers that
shows a 5% throughput gain. IoT projects have been seen to be as
much as 10% faster with this change!
- tools: eslint has been updated to version 2.1.0
buffer
- make byteLength work with Buffer correctly (Jackson Tian)
debugger
- guard against call from non-node context (Ben Noordhuis)
- do not incept debug context (Myles Borins)
deps
- update to http-parser 2.5.2 (James Snell)
Note that this release includes a non-backward compatible change
to address a security issue. This change increases the version
of the LTS v4.x line to v4.3.0. There will be no further updates
to v4.2.x.
- http: fix defects in HTTP header parsing for requests and
responses that can allow request smuggling (CVE-2016-2086)
or response splitting (CVE-2016-2216). HTTP header parsing
now aligns more closely with the HTTP spec including
restricting the acceptable characters.
- http-parser: upgrade from 2.5.0 to 2.5.1
- openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against
the Logjam attack, TLS clients now reject Diffie-Hellman
handshakes with parameters shorter than 1024-bits, up from
the previous limit of 768-bits.
- introduce new --security-revert={cvenum} command line flag
for selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted
using --security-revert=CVE-2016-2216
Notable changes
- http: Fix a bug where an HTTP socket may no longer have a socket
but a pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
- openssl: Upgrade to 1.0.2e, containing fixes for:
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
an attack is considered feasible against a Node.js TLS server
using DHE key exchange. Details are available at
http://openssl.org/news/secadv/20151203.txt.
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
a potential denial-of-service vector for Node.js TLS servers; TLS
clients are also impacted. Details are available at
http://openssl.org/news/secadv/20151203.txt. (Shigeki Ohtsu) #4134
- v8: Backport fixes for a bug in JSON.stringify() that can result in
out-of-bounds reads for arrays. (Ben Noordhuis)
