Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update node.js to v6.17.1 #98

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Oct 20, 2021

Mend Renovate

This PR contains the following updates:

Package Update Change
node minor 6.5.0 -> 6.17.1

Release Notes

nodejs/node

v6.17.1: 2019-04-03, Version 6.17.1 'Boron' (LTS), @​BethGriggs

Compare Source

Node 6 is due to go End-of-Life on 2019-04-30.

Notable Changes
  • http:
    • fix error check in Execute() (Brian White) #​25939
Commits

v6.17.0

Compare Source

v6.16.0: 2018-12-26, Version 6.16.0 'Boron' (LTS), @​MylesBorins

Compare Source

The 6.15.0 security release introduced some unexpected breakages on the 6.x release line.
This is a special release to fix a regression in the HTTP binary upgrade response body and add
a missing CLI flag to adjust the max header size of the http parser.

Notable Changes
  • cli:
    • add --max-http-header-size flag (cjihrig) #​24811
  • http:
    • add maxHeaderSize property (cjihrig) #​24860
Commits

v6.15.1: 2018-12-03, Version 6.15.1 'Boron' (LTS), @​rvagg

Compare Source

Notable Changes

This is a patch release to address a bad backport of the fix for "Slowloris HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers timeout to an entire keep-alive HTTP session, resulting in prematurely disconnected sockets.

Commits

v6.15.0: 2018-11-27, Version 6.15.0 'Boron' (LTS), @​rvagg

Compare Source

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  • Node.js: Debugger port 5858 listens on any interface by default (CVE-2018-12120)
  • Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  • Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  • Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
  • Node.js: HTTP request splitting (CVE-2018-12116)
  • OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  • OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
Notable Changes
  • debugger: Backport of nodejs/node#​8106 to prevent the debugger from listening on 0.0.0.0. It now defaults to 127.0.0.1. Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis).
  • deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
  • http:
    • Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
    • A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina)
    • Two-byte characters are now strictly disallowed for the path option in HTTP client requests. Paths containing characters outside of the range \u0021 - \u00ff will now be rejected with a TypeError. This behavior can be reverted if necessary by supplying the --security-revert=CVE-2018-12116 command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by Arkadiy Tetelman (Lob), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina)
  • url: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol. Reported by Martin Bajanik (Kentico). (CVE-2018-12123 / Matteo Collina)
Commits

v6.14.4: 2018-08-15, Version 6.14.4 'Boron' (LTS), @​rvagg

Compare Source

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

Notable Changes
  • buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115)
  • deps: Upgrade to OpenSSL 1.0.2p, fixing:
    • Client DoS due to large DH parameter (CVE-2018-0732)
    • ECDSA key extraction via local side-channel (CVE not assigned)
Commits

v6.14.3: 2018-06-12, Version 6.14.3 'Boron' (LTS), @​evanlucas

Compare Source

Notable Changes
  • buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
Commits

v6.14.2: 2018-04-30, Version 6.14.2 'Boron' (LTS), @​MylesBorins

Compare Source

Notable Changes
  • n-api:
    • n-api has been backported to v6.x. It is being landed as an experimental interface,
      and as such is landing in a Semver-Patch release. (Gabriel Schulhof) #​19447
Commits

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
Copy link
Author

renovate bot commented Mar 24, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant