2018-08-15, Version 6.14.4 'Boron' (LTS), @rvagg
·
27784 commits
to main
since this release
This is a security release. All Node.js users should consult the security release summary at:
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
- CVE-2018-0732 (OpenSSL)
- CVE-2018-12115 (Node.js)
Notable Changes
- buffer: Fix out-of-bounds (OOB) write in
Buffer.write()for UCS-2 encoding (CVE-2018-12115) - deps: Upgrade to OpenSSL 1.0.2p, fixing:
- Client DoS due to large DH parameter (CVE-2018-0732)
- ECDSA key extraction via local side-channel (CVE not assigned)
Commits
- [
0052926476] - buffer: avoid overrun on UCS-2 string write (Rod Vagg) nodejs-private/node-private#138 - [
dbe6551b89] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) #1836 - [
7829bbcacb] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) #1389 - [
cddca629b5] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) #1389 - [
e6014aed52] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #22320 - [
37ddce514d] - deps: upgrade openssl sources to 1.0.2p (Shigeki Ohtsu) #22320 - [
08a150fcca] - inspector: don't bind to 0.0.0.0 by default (Ben Noordhuis) #21376 - [
19b9d7fd77] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) #1389 - [
7ccb0422fc] - test: fix error messages for OpenSSL-1.0.2p (Shigeki Ohtsu) #22320 - [
58b9497ca8] - test: update certificates and private keys (Fedor Indutny) #22184 - [
9863e11ea8] - test: update keys/Makefile to clean and build all (Daniel Bevenius) #19975