2018-08-15 Version 6.14.4 'Boron' (LTS) @rvagg

[beevelop]

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

• CVE-2018-0732 (OpenSSL)
• CVE-2018-12115 (Node.js)

Notable Changes

• buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115)
• deps: Upgrade to OpenSSL 1.0.2p, fixing:
  • Client DoS due to large DH parameter (CVE-2018-0732)
  • ECDSA key extraction via local side-channel (CVE not assigned)

Commits

• [0052926476] - buffer: avoid overrun on UCS-2 string write (Rod Vagg) nodejs-private/node-private#138
• [dbe6551b89] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) #1836
• [7829bbcacb] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) #1389
• [cddca629b5] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) #1389
• [e6014aed52] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #22320
• [37ddce514d] - deps: upgrade openssl sources to 1.0.2p (Shigeki Ohtsu) #22320
• [08a150fcca] - inspector: don't bind to 0.0.0.0 by default (Ben Noordhuis) #21376
• [19b9d7fd77] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) #1389
• [7ccb0422fc] - test: fix error messages for OpenSSL-1.0.2p (Shigeki Ohtsu) #22320
• [58b9497ca8] - test: update certificates and private keys (Fedor Indutny) #22184
• [9863e11ea8] - test: update keys/Makefile to clean and build all (Daniel Bevenius) #19975