Node v0.10.47 (Maintenance)
This is an important security release. All Node.js users should consult the security release summary at for details on patched vulnerabilities.
Notable changes:
- buffer: Zero-fill excess bytes in new
Buffer
objects created withBuffer.concat()
while providing atotalLength
parameter that exceeds the total length of the originalBuffer
objects being concatenated. (Сковорода Никита Андреевич) - http:
- CVE-2016-5325 - Properly validate for allowable characters in the
reason
argument inServerResponse#writeHead()
. Fixes a possible response splitting attack vector. This introduces a new case wherethrow
may occur when configuring HTTP responses, users should already be adopting try/catch here. Originally reported independently by Evan Lucas and Romain Gaucher. (Evan Lucas) - Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999. Lack of proper validation may also serve as a potential response splitting attack vector. Backported from v4.x. (Brian White)
- CVE-2016-5325 - Properly validate for allowable characters in the
- openssl: Upgrade to 1.0.1u, fixes a number of defects impacting Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded memory growth", high severity), CVE-2016-2183, CVE-2016-2183, CVE-2016-2178 and CVE-2016-6306.
- tls: CVE-2016-7099 - Fix invalid wildcard certificate validation check whereby a TLS server may be able to serve an invalid wildcard certificate for its hostname due to improper validation of
*.
in the wildcard string. Originally reported by Alexander Minozhenko and James Bunton (Atlassian) (Ben Noordhuis)
Commits:
- [fc259c7dc4] - buffer: zero-fill uninitialized bytes in .concat() (Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/67
- [35b49ed4bb] - build: turn on -fno-delete-null-pointer-checks (Ben Noordhuis) https://github.com/nodejs/node/pull/6738
- [03f4920d6a] - crypto: don't build hardware engines (Rod Vagg) https://github.com/nodejs/node-private/pull/68
- [1cbdb1957d] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25368
- [c66408cd0c] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) https://github.com/nodejs/node-v0.x-archive/pull/25654
- [68f88ea792] - deps: separate sha256/sha512-x86_64.pl for openssl (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25654
- [884d50b348] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) https://github.com/nodejs/node/pull/8718
- [bfd6cb5699] - deps: upgrade openssl sources to 1.0.1u (Shigeki Ohtsu) https://github.com/nodejs/node/pull/8718
- [3614a173d0] - http: check reason chars in writeHead (Evan Lucas) https://github.com/nodejs/node-private/pull/48
- [f2433430ca] - http: disallow sending obviously invalid status codes (Evan Lucas) https://github.com/nodejs/node-private/pull/48
- [0d7e21ee7b] - lib: make tls.checkServerIdentity() more strict (Ben Noordhuis) https://github.com/nodejs/node-private/pull/62
- [1f4a6f5bd1] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25654
- [88dcc7f5bb] - v8: fix -Wsign-compare warning in Zone::New() (Ben Noordhuis) https://github.com/nodejs/node-private/pull/62
- [fd8ac56c75] - v8: fix build errors with g++ 6.1.1 (Ben Noordhuis) https://github.com/nodejs/node-private/pull/62
Windows 32-bit Installer: https://nodejs.org/dist/v0.10.47/node-v0.10.47-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v0.10.47/x64/node-v0.10.47-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v0.10.47/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v0.10.47/x64/node.exe
Mac OS X Universal Installer: https://nodejs.org/dist/v0.10.47/node-v0.10.47.pkg
Mac OS X 64-bit Binary: https://nodejs.org/dist/v0.10.47/node-v0.10.47-darwin-x64.tar.gz
Mac OS X 32-bit Binary: https://nodejs.org/dist/v0.10.47/node-v0.10.47-darwin-x86.tar.gz
Linux 32-bit Binary: https://nodejs.org/dist/v0.10.47/node-v0.10.47-linux-x86.tar.gz
Linux 64-bit Binary: https://nodejs.org/dist/v0.10.47/node-v0.10.47-linux-x64.tar.gz
SmartOS 32-bit Binary: https://nodejs.org/dist/v0.10.47/node-v0.10.47-sunos-x86.tar.gz
SmartOS 64-bit Binary: https://nodejs.org/dist/v0.10.47/node-v0.10.47-sunos-x64.tar.gz
Source Code: https://nodejs.org/dist/v0.10.47/node-v0.10.47.tar.gz
Other release files: https://nodejs.org/dist/v0.10.47/
Documentation: https://nodejs.org/docs/v0.10.47/api/
Shasums (GPG signing hash: SHA512, file hash: SHA256):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
cee8789aac9e2e5b96a1e63ae5e43ed757321c565b64a3d5d239472b18254312 node.exe
6010956e477cd2494d7d7decfca672580558519f225e797a5558955a9fbf8419 node.exp
04358767337029cab84cad1e48b95587bdeca628646437b89eae877cb3506f57 node.lib
5533b872d78b6bfb1d19ef482930dae79c3e8a85915d4b26100d2067affee6de node.pdb
6920608a46761c33056d78e504222a3a42dc8c0cf8ab6ff7497cd4a81b06d090 node-v0.10.47-darwin-x64.tar.gz
e220a658b6d52408398a2c0f88ade702154503c50183f76542292142d9686e75 node-v0.10.47-darwin-x64.tar.xz
0907e94e81dc63e284e9dcb18925ceed102ceffb8a4cefab8f729c203f371c93 node-v0.10.47-darwin-x86.tar.gz
e5d042ee7d695e5e0f5c78c59f98ae3d47de7e5a63230894a0f51010cab2376b node-v0.10.47-darwin-x86.tar.xz
6587d1040697dc7be7168413910a912f33a73ed95e0c19739abad4a63681b74e node-v0.10.47-headers.tar.gz
a3ed6bf32e0afae7c676fff35d6819406cc235b24f09972b82f2c15ac90dc7c0 node-v0.10.47-headers.tar.xz
80757ae8f7bc3161fe44615344c784918ebd93a51ca6f789a75e3d472972eb77 node-v0.10.47-linux-x64.tar.gz
c93a84934546d6a0835f053ffc0e6a4273d967e7db442ecbfc731fa40c4b1bc2 node-v0.10.47-linux-x64.tar.xz
3ee003748c6ce90918a909ef58e21376db05a2988ba6fad92fded28541ca4006 node-v0.10.47-linux-x86.tar.gz
b406f6ff4938c36ac327ae00160fa4581f4e3d1e504c2b534136191cc7409026 node-v0.10.47-linux-x86.tar.xz
10f2dba060e184ba274cddd61494f4054a8d6e2062c8b13a461bfb2f08df07c4 node-v0.10.47.pkg
e4c9b4ff3745477c92ebd467606a5b7af2b95a51484f1491c91e1824c7b2b4ae node-v0.10.47-sunos-x64.tar.gz
ef6dbe022a61aba2a86784ab11463aaf8ed637f2f8a989aef4edbaa620037330 node-v0.10.47-sunos-x64.tar.xz
f79fcd0700367506b6a8a7bf8ac0253146205ecc9617cb376744b108f126b4e3 node-v0.10.47-sunos-x86.tar.gz
0a8eddac8135851b33542ca10994a6ed4911a57584df3872bd259ca7f9120d17 node-v0.10.47-sunos-x86.tar.xz
5281fa7ddff755c34602a09ef8027f0bda0f7851b1e374fd0e0c33da93123056 node-v0.10.47.tar.gz
335bdf4db702885a8acaf2c9f241c70cabd62497361da81aca65c8e8a8e7ff09 node-v0.10.47.tar.xz
3c1aee23a996dcfd853a9fec4df05e898abab5332bac542a6ccf1661e45bf9f5 node-v0.10.47-x86.msi
0ab19d1cb3aea4b3639ce2c124c47344fd9060ce659031426fe96bfa6594b5d5 openssl-cli.exe
95d8bd6120105fd6a0327e44e8556cbdb5d21f5b431451f50eb58cf3f4112b4d openssl-cli.pdb
20d866978497f83fcf8654576a6ce42bc496096c8407e8f324eb77fa181a8a59 x64/node.exe
ceb9e983cc14076e3737153aa070fc3459e8d6a3dd81b64d5ea3298e96899c9a x64/node.exp
3ffe2805c1032ac4d636ecae6f322da862809bbaf12344e32b3f7b336b88c04e x64/node.lib
d42d0a8a090a409428d42aed8987a0160dd3054d8f70e00ce44a1ebdb414d70c x64/node.pdb
871f488dae2ccf8f1727b9773bdb4c9c0f36188783ae6d403f73c00363d9a9ed x64/node-v0.10.47-x64.msi
ec2ac36c01d2153fc814f20143d1279aba47d39b68d06753259cf2353057e036 x64/openssl-cli.exe
513827079363c3c9391f1210d224eee91e18da80a69e56e0f238acc96e7f0f0e x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----
iQEcBAEBAgAGBQJX6w1sAAoJEMJzeS99g1RdN1oH/2XvMEVsuNrG1vh5ADeL2wfB
ZG2iXFKbnydKDLTtqBJuDtt7vNyat5KCzKjUMNW0gGtMp9rzE+AGP8WpuQg5xFLB
xiaGtTyQ6PuXem6g0j5dMz/D9PVRESDHz5D/WeJXHRoebtl+W8TOdVnCY0DatjHf
wCGjx7ngpEo3hN6KxBZFeI3TpK1YkVBRv+hwSsU5kPVwfbMhVQd89H/Y6VO0sydS
HJ+dMPSX/LyGjJ+oH941u5eOrnL+h4skOe1PDy0DD8HjO9oaNt8Blv4vhSdyOX2y
1e3OcS3VWQxvMWkdGEzbBX4xdjsQubs9cw2EejS6iDLrS9a6rwQjPCHQowJDg8k=
=gxlj
-----END PGP SIGNATURE-----