As of the last updates to each of these, made earlier this month, they
now require nghttp2>=1.41.0 to build. They expect
nghttp2_option_set_max_settings to be available.
Version 14.4.0 (Current)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
Commits
- crypto: update root certificates
- (SEMVER-MINOR) deps: update nghttp2 to 1.41.0
- (SEMVER-MINOR) http2: implement support for max settings entries
- napi: fix memory corruption vulnerability
- tls: emit session after verifying certificate
- tools: update certdata.txt
Version 14.3.0 (Current)
Notable Changes
REPL previews improvements with autocompletion
The output preview is changed to generate previews for autocompleted input instead of the actual input.
Pressing <enter> during a preview is now going to evaluate the whole string including the autocompleted part. Pressing <escape> cancels that behavior.
Support for Top-Level Await
It's now possible to use the await keyword outside of async functions.
Version 14.1.0
Notable Changes
deps: upgrade openssl sources to 1.1.1g
doc: add juanarbol as collaborator
http: doc deprecate abort and improve docs
module: do not warn when accessing __esModule of unfinished exports
n-api: detect deadlocks in thread-safe function
src: deprecate embedder APIs with replacements
stream:
* don't emit end after close
* don't wait for close on legacy streams
* pipeline should only destroy un-finished streams
vm: add importModuleDynamically option to compileFunction
Version 14.0.0 (Current)
Notable Changes
ECMAScript Modules - Experimental Warning Removal
New V8 ArrayBuffer API
cli, report: move --report-on-fatalerror to stable
deps: upgrade to libuv 1.37.0
fs: add fs/promises alias module
Version 13.13.0 (Current)
Notable Changes
New file system APIs
Added a new function, fs.readv (with sync and promisified versions). This function takes an array of ArrayBufferView elements and will write the data it reads sequentially to the buffers.
A new overload is available for fs.readSync, which allows to optionally pass any of the offset, length and position parameters.
Other changes
dns:
Added the dns.ALL flag, that can be passed to dns.lookup() with dns.V4MAPPED to return resolved IPv6 addresses as well as IPv4 mapped IPv6 addresses.
http:
The default maximum HTTP header size was changed from 8KB to 16KB.
n-api:
Calls to napi_call_threadsafe_function from the main thread can now return the napi_would_deadlock status in certain circumstances.
util:
Added a new maxStrLength option to util.inspect, to control the maximum length of printed strings. Its default value is Infinity.
worker:
Added support for passing a transferList along with workerData to the Worker constructor
Version 13.12.0
build:
* macOS package notarization
deps:
* upgrade npm to 6.14.4
* update to uvwasi 0.0.6
* upgrade to libuv 1.35.0
lib:
* add --disable-proto option to cli
node_report:
* move diagnostic reports to stable
worker:
* allow URL in Worker constructor
util:
* use a global symbol for util.promisify.custom
Version 13.11.0
Notable Changes:
async_hooks: add sync enterWith to ALS
cli: allow --jitless V8 flag in NODE_OPTIONS
fs: return first folder made by mkdir recursive
n-api: define release 6
os: create a getter for kernel version
wasi: add returnOnExit option
Version 13.10.1 (Current):
In Node.js 13.9.0 deps/zlib was switched to the chromium maintained implementation. This change had the unforseen consequence of breaking building from the tarballs we release as we were too aggressively removing unneccessary files from the deps/zlib folder. This release includes a patch that ensures that individuals will once again be able to build Node.js from source.
Version 13.10.0 (Current):
Notable Changes
async_hooks
- introduce async-context API
stream
- support passing generator functions into pipeline()
tls
- expose SSL_export_keying_material
vm
- implement vm.measureMemory() for per-context memory measurement
Version 13.9.0 (Current)
async_hooks
* add executionAsyncResource
crypto
* add crypto.diffieHellman
* add DH support to generateKeyPair
* simplify DH groups
* add key type 'dh'
test
* skip keygen tests on arm systems
perf_hooks
* add property flags to GCPerformanceEntry
process
* report ArrayBuffer memory in memoryUsage()
readline
* make tab size configurable
report
* add support for Workers
worker
* add ability to take heap snapshot from parent thread
added new collaborators
* add ronag to collaborators
Version 13.8.0 (Current):
Notable Changes
This is a security release.
Vulnerabilities fixed:
CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the --insecure-http-parser command line flag, or the insecureHTTPParser http option. Using the insecure HTTP parser should be avoided.
Version 13.3.0:
Notable Changes
fs:
Reworked experimental recursive rmdir()
The maxBusyTries option is renamed to maxRetries, and its default is set to 0. The emfileWait option has been removed, and EMFILE errors use the same retry logic as other errors. The retryDelay option is now supported. ENFILE errors are now retried.
http:
Make maximum header size configurable per-stream or per-server
http2:
Make maximum tolerated rejected streams configurable
Allow to configure maximum tolerated invalid frames
wasi:
Introduce initial WASI support
Version 10.17.0 'Dubnium' (LTS):
Notable changes
crypto:
- add support for chacha20-poly1305 for AEAD
- increase maxmem range from 32 to 53 bits
deps:
- update npm to 6.11.3
- upgrade openssl sources to 1.1.1d
dns: remove dns.promises experimental warning
fs: remove experimental warning for fs.promises
http: makes response.writeHead return the response
http2: makes response.writeHead return the response
n-api:
- make func argument of napi_create_threadsafe_function optional
- mark version 5 N-APIs as stable
- implement date object
process: add --unhandled-rejections flag
stream:
- implement Readable.from async iterator utility
- make Symbol.asyncIterator support stable
Version 10.16.3 'Dubnium' (LTS):
Notable changes
This is a security release.
Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.
Vulnerabilities fixed:
CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service.
Version 10.16.2 'Dubnium' (LTS)
Notable changes
This release patches a regression in the OpenSSL upgrade to 1.1.1c that causes intermittent hangs in machines that have low entropy.
Version 10.16.1 'Dubnium' (LTS)
Notable changes
deps: upgrade openssl sources to 1.1.1c
stream: do not unconditionally call \_read() on resume()
worker: fix nullptr deref after MessagePort deser failure
Version 10.16.0 'Dubnium' (LTS)
Notable Changes
deps:
update ICU to 64.2
upgrade npm to 6.9.0
upgrade openssl sources to 1.1.1b
upgrade to libuv 1.28.0
events: add once method to use promises with EventEmitter
n-api: mark thread-safe function as stable
repl: support top-level for-await-of
zlib: add brotli support
Also apply similar ifdefs for NetBSD as FreeBSD and OpenBSD.
Now nodejs binary won't fail during lang/npm and www/firefox builds
on NetBSD/i386 8.0.
Bump PKGREVISION.
No particular comments on pkgsrc-bug@:
http://mail-index.netbsd.org/pkgsrc-bugs/2019/03/19/msg066102.html
Should close PR pkg/53497, PR pkg/53758, PR pkg/53792, and PR pkg/53794.
Version 10.15.2 'Dubnium' (LTS):
This is a security release. All Node.js users should consult the security release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
A fix for the following CVE is included in this release:
Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)
Notable Changes
http: Further prevention of "Slowloris" attacks on HTTP and HTTPS connections by consistently applying the receive timeout set by server.headersTimeout to connections in keep-alive mode.
