Node.js 8.11.3 和 10.4.1 发布了,更新内容如下:
8.11.3
Notable Changes
buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
http2
(CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
(CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
Commits
[
e1ff7c3cbc] - deps: update to nghttp2 1.32.0 (James M Snell) nodejs-private/node-private#125[
c5a2748d8f] - doc: buffer.fill() can zero-fill on invalid input (Сковорода Никита Андреевич) nodejs-private/node-private#119[
354f2d97ff] - http2: fixup http2stream cleanup and other nits (James M Snell) nodejs-private/node-private#123[
25c5111ca4] - src: avoid hanging on Buffer#fill 0-length input (Сковорода Никита Андреевич) nodejs-private/node-private#119[
10c5adf19b] - test: addRealloc()shrink after reading stream data test (Anna Henningsen) nodejs-private/node-private#132[
bc91220ca2] - test: add tls write error regression test (Shigeki Ohtsu) nodejs-private/node-private#131[
acd11b01c4] - test: add regression test for nghttp2 CVE-2018-1000168 (James M Snell) nodejs-private/node-private#125
下载地址:
10.4.1
Notable Changes
Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.
http2
(CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
(CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving
n-api: Prevent use-after-free in napi_delete_async_work
Commits
[
1bbfe9a72b] - build: fix configure script for double-digits (Misty De Meo) #21183[
4c90ee8fc6] - deps: update to nghttp2 1.32.0 (James M Snell) nodejs-private/node-private#117[
e5c2f575b1] - deps: patch V8 to 6.7.288.45 (Michaël Zasso) #21192[
03ded94ffe] - deps: patch V8 to 6.7.288.44 (Michaël Zasso) #21146[
4de7e0c96c] - deps,npm: float node-gyp patch on npm (Rich Trott) #21239[
92d7b6c9a0] - fs: fix promises reads with pos > 4GB (cjihrig) #21148[
8681402228] - http2: fixup http2stream cleanup and other nits (James M Snell) nodejs-private/node-private#115[
53f8563353] - n-api: back up env before async work finalize (Gabriel Schulhof) #21129[
9ba8ed1371] - src: re-addRealloc()shrink after reading stream data (Anna Henningsen) nodejs-private/node-private#128[
8e979482fa] - Revert "src: restore stdio on program exit" (Evan Lucas) #21257[
cb5ec64956] - src: reset TTY mode before cleaning up resources (Anna Henningsen) #21257[
ae5567eaea] - test: add regression test for nghttp2 CVE-2018-1000168 (James M Snell) nodejs-private/node-private#117[
e87bf625dd] - test: add tls write error regression test (Shigeki Ohtsu) nodejs-private/node-private#127[
eea2bce58d] - tls: fix SSL write error handling (Anna Henningsen) nodejs-private/node-private#127[
1e49eadd68] - tools,gyp: fix regex for version matching (Rich Trott) #21216
下载地址: