Opened 3 years ago

Closed 3 years ago

#10594 closed enhancement (fixed)

node.js-9.10.1

Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: normal Milestone: 8.3
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (3)

comment:1 by Bruce Dubbs, 3 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 3 years ago

Summary: node.js-9.10.0node.js-9.10.1

Now version 9.10.1

Version 9.10.1 is a PPC packaging issue.

8-03-28, Version 9.10.0

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  • CVE-2018-7158
  • CVE-2018-7159
  • CVE-2018-7160

Notable Changes

  • Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are

known to impact Node.js.

  • Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious

website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser Host value of localhost or localhost6.

  • Fix for 'path' module regular expression denial of service (CVE-2018-7158):

A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.

  • Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The

Node.js HTTP parser allowed for spaces inside Content-Length header values. Such values now lead to rejected connections in the same way as non-numeric values.

  • Update root certificates: 5 additional root certificates have been added to

the Node.js binary and 30 have been removed.

cluster: Add support for NODE_OPTIONS="--inspect"

crypto: Expose the public key of a certificate

n-api: Add napi_fatal_exception to trigger an uncaughtException in JavaScript

path: Fix regression in posix.normalize

stream: Improve stream creation performance

comment:3 by Bruce Dubbs, 3 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 20026.

Note: See TracTickets for help on using tickets.