We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
This is a security release. All Node.js users should consult the security release summary at:
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
Buffer.write()
Buffer.alloc()
http.get()
http.request()
https
URL
options
58a9ae118e
1c577016b8
734323d9eb
2c4c17b708
6622ac798d
f506a5f46e
1be6fb93c8
4520bb8a73
c42ff4ebd8
cdb8c1b44d
1e7a8c3016
86ab2c041e
9212875406
916a1d59f0
2dc7f17e8b
fcf422e921
a07ccaeb19
473996c90f
05e48fd018
f8bc5d6320
c69fdc9d5f
981fff714e
5fa3ffad20
6eed40acbb
7eccaf86d6
328c89925a
afacfd2992
4f24256274
7b4272a14d
a0bf7aa07c
4994ac65b0
be569f82f1
6df5feb13f
8b9a956f9e
548008a6f6
9c74271a96
a3f3c40966
d2848697dc
6d29986f4d
a658a4df34
3236697c0b
da76b61f59
e04b0532bf
882c2c017a
dd96ba5b89
d95a22c304
9e25028981
ef8d0fc490
1b41cd44b5
cea8d4f4e9
fafdae4ce1
d4f3615aaf
e75885f2e6
40af9767a2
38dd407c83
6c7733f58a
34300aaaa4
28870a46ac
d2ad9a2c13
168abb5801
d364f9c8e7
abac0c56b8
c6a56ae23e
29bc55320c
ec9d529a32
37369eba38
1ca46ab6f4
8d226c6a79
7223a91a50
cee78bf7a2
fcca2f7e49
streamError
2bf9a4a09e
4c5dc6e012
39898695b6
311ec12702
8f7e37337f
3f729aac20
f570c19c89
76a65921d3
e4f346892c
d0b0ea971a
b2ac7a750f
d85b0a3c10
82e71dd8bd
2737b46e16
8b5485dcf5
e90e56f4ca
c09872b749
6ca00d7044
0ca831a0ed
00c33a5131
ba480d33ce
6b58746b2e
ce48936077
89e23021fb
56edd5fc5b
4c9c1bbc45
c101b396aa
daafe6c195
4379140dbf
cde0e5f396
31e3e6f1f8
9d89b3c7ec
1d15f33277
a7dad4565b
a414b0757a
01fe2cee5b
c145690aad
bdc644f2ec
bc1cb7b7fc
cefc4a03cc
b1cbbbc7af
a6ab19a96a
7a4c7e6c82
5018661a85
77ce40fa03
6daa4f8797
16a929b867
e58c17b849
d38ccaa421
d66e52fb8e
6cff57e98d
dafaff3a5e
a569ae4b44
a60060b499
246a94f301
a40ee213b3
e2d97eeb65
94746d6a47
0beffc0f3b
c2372eac16
7e23080d45
52020dc09a
88665b3cef
d60b017135
8f56cc0321
5c41caa1cc
21883be05d
ec2209dc8b
2d1c1853e9
f989681e34
6cd2d1dddc
80dd0445c6
bc35f17b7b
950a4a9b91
0c67d326dc
c85d00b786
f0c871b0c7
make format-cpp
5a4abbadfe
7a7c194f4e
4995b28a11
ad46cca104
b171fa2530
f1c22eaa56
677d10cdd1
4b0d2de5f4
The text was updated successfully, but these errors were encountered:
No branches or pull requests
This is a security release. All Node.js users should consult the security release summary at:
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
Notable Changes
Buffer.write()for UCS-2 encoding (CVE-2018-12115)Buffer.alloc()(CVE-2018-7166)http.get()andhttp.request()(andhttpsvariants) can now accept three arguments to allow for aURLand anoptionsobject (Sam Ruby) #21616Commits
58a9ae118e] - assert: fix loose assert with map and set (Ruben Bridgewater) #221451c577016b8] - benchmark: improve assert benchmarks (Ruben Bridgewater) #22211734323d9eb] - buffer: stop alloc() uninitialized memory return (cjihrig) nodejs-private/node-private#1372c4c17b708] - buffer: avoid overrun on UCS-2 string write (Rod Vagg) nodejs-private/node-private#1386622ac798d] - buffer: use FastBuffer when fill is set to 0 (Сковорода Никита Андреевич) #21989f506a5f46e] - build: make --shared-[...]-path work on Windows (Jeremy Apthorp) #215301be6fb93c8] - build: add CONFIG_FLAGS to with-code-cache target (Daniel Bevenius) [#22207](https://github.com/build: add CONFIG_FLAGS to with-code-cache target nodejs/node#22207)
4520bb8a73] - build: make tools/doc/node_modules non-phony (Daniel Bevenius) #22189c42ff4ebd8] - build: add crypto check to build targets (Daniel Bevenius) #22148cdb8c1b44d] - build: extract common parts from addon .buildstamp (Daniel Bevenius) #221711e7a8c3016] - build: reset embedder string to "-node.0" (Michaël Zasso) #2107986ab2c041e] - crypto: remove unused SSLWrap handle methods (Jon Moss) #222169212875406] - crypto: simplify state failure handling (Tobias Nießen) #22131916a1d59f0] - crypto: simplify Hmac::HmacUpdate (Tobias Nießen) #221322dc7f17e8b] - (SEMVER-MINOR) crypto: add better scrypt option aliases (Anna Henningsen) #21525fcf422e921] - deps: backport c608122b from upstream (Ruben Bridgewater) #22210a07ccaeb19] - deps: update archs files for OpenSSL-1.1.0i (Shigeki Ohtsu) #22318473996c90f] - deps: add s390 asm rules for OpenSSL-1.1.0 (Shigeki Ohtsu) #1979405e48fd018] - deps: upgrade openssl sources to 1.1.0i (Shigeki Ohtsu) #22318f8bc5d6320] - deps: cherry-pick 09bca09 from upstream V8 (Matheus Marchini) #22068c69fdc9d5f] - (SEMVER-MINOR) deps: remove thread_local to fix V8 compilation (Peter Marshall) #21668981fff714e] - deps: refactor v8.gyp (Michaël Zasso) #220175fa3ffad20] - (SEMVER-MINOR) deps: patch the V8 API to be backwards compatible with 6.7 (Peter Marshall) #216686eed40acbb] - deps: cherry-pick 804a693 from upstream V8 (Matheus Marchini) #218557eccaf86d6] - deps: V8: Backport of 0dd3390 from upstream (James M Snell) #21899328c89925a] - deps: cherry-pick 907d7bc from upstream V8 (Michaël Zasso) #21838afacfd2992] - deps: cherry-pick 2075910 from upstream V8 (Michaël Zasso) #218384f24256274] - deps: cherry-pick 555c811 from upstream V8 (Anna Henningsen) #217417b4272a14d] - deps: cherry-pick 477df06 from upstream v8 (Gus Caplan) #21644a0bf7aa07c] - deps: cherry-pick 70c4340 from upstream V8 (Matheus Marchini) #211264994ac65b0] - deps: cherry-pick acc336c from upstream V8 (Matheus Marchini) #21126be569f82f1] - deps: cherry-pick b20faff from upstream V8 (Matheus Marchini) #211266df5feb13f] - deps: cherry-pick aa6ce3e from upstream V8 (Michaël Zasso) #210798b9a956f9e] - deps: cherry-pick 5dd3395 from upstream V8 (Matheus Marchini) #21386548008a6f6] - deps: update v8.gyp and run Torque (Michaël Zasso) #210799c74271a96] - deps: update V8 to 6.8.275.24 (Michaël Zasso) #21079a3f3c40966] - doc: simplify urlObject.hash text (Rich Trott) #22326d2848697dc] - doc: simplify urlObject.hash description (Rich Trott) #223266d29986f4d] - doc: simplify format description of urlObject.auth (Rich Trott) #22324a658a4df34] - doc: remove redundant explanation of format (Rich Trott) #223243236697c0b] - doc: use italics for words-as-words (Rich Trott) #22324da76b61f59] - doc: bump ICU version to avoid confusion (Csaba Palfi) #22313e04b0532bf] - doc: document 'inherit' option for stdio (non-shorthand) (James Bromwell) #22309882c2c017a] - doc: clarify http2 docs around class exports (James M Snell) #22247dd96ba5b89] - doc: add multiple issue templates for GitHub (Tobias Nießen) #22215d95a22c304] - doc: declare all parameter types (Sam Ruby) #217829e25028981] - doc: add missing option for child_process.spawnSync() (James Bromwell) #22231ef8d0fc490] - doc: list encodings supported by buffer.transcode (James M Snell) #222631b41cd44b5] - doc: discuss special protocol handling (James M Snell) #22261cea8d4f4e9] - doc: replace _WG_ with _team_ (Rich Trott) #22183fafdae4ce1] - doc: add subprocess.ref() and subprocess.unref() (Thomas Hunter II) #22220d4f3615aaf] - doc: add gdams to collaborators (George Adams) [#22236](https://github.com/nodejs/node/pull/22236)
e75885f2e6] - doc: specifyoptionsparameter type in zlib.md (Vse Mozhet Byt) #2192040af9767a2] - doc: declare all parameter types (Sam Ruby) #2178238dd407c83] - doc: remove unused error codes from errors.md (Сковорода Никита Андреевич) #214916c7733f58a] - doc: update recommendations for createCipher (Tobias Nießen) #2208734300aaaa4] - doc: correct crypto.randomFill() and randomFillSync() (Gerhard Stoebich) #2155028870a46ac] - doc: add rubys to collaborators (Sam Ruby) #22109d2ad9a2c13] - doc: fix return type of server.address() (Weijia Wang) #22043168abb5801] - doc: rename stackStartFunction in assert.md (Eugene Y. Q. Shen) #22077d364f9c8e7] - doc: fix changelog for v10.8.0 (Michaël Zasso) #22072abac0c56b8] - doc: mark DEP0004 and DEP0042 as End-of-Life (Jon Moss) #22033c6a56ae23e] - doc: correct grammatical error in BUILDING.md (Brandon Lee) #2206729bc55320c] - doc: fixup process.binding deprecation code (James M Snell) #22062ec9d529a32] - doc: documentation deprecation of process.binding (James M Snell) #2200437369eba38] - (SEMVER-MINOR) http: allow url and options to be passed to http*.request and http*.get (Sam Ruby) #216161ca46ab6f4] - http,tls: name anonymous callbacks (Marco Levrero) #214128d226c6a79] - http2: correcting the heading format (Anto Aravinth) #222627223a91a50] - http2: explicitly disallow nested push streams (James M Snell) #22245cee78bf7a2] - http2: avoid race condition in OnHeaderCallback (James M Snell) #22256fcca2f7e49] - http2: removestreamErrorfrom docs (James M Snell) #222462bf9a4a09e] - https: allow url and options to be passed to https.request (Sam Ruby) #220034c5dc6e012] - inspector: tie objects lifetime to the thread they belong to (Eugene Ostroukhov) #2224239898695b6] - inspector: add inspector_protocol as a direct dependency (Andrey Lushnikov) #21975311ec12702] - inspector: fixed V8InspectorClient::currentTimeMS (Aleksey Kozyatinskiy) #219178f7e37337f] - lib: remove unused filterInternalStackFrames param (MaleDong) #222673f729aac20] - lib: extract validateString validator (Jon Moss) #22101f570c19c89] - perf_hooks: avoid memory leak on gc observer (James M Snell) #2224176a65921d3] - readline,zlib: named anonymous functions (Anto Aravinth) #21792e4f346892c] - repl: support mult-line string-keyed objects (Sam Ruby) #21805d0b0ea971a] - src: remove unnecessary writes in tls_wrap.cc (Anna Henningsen) #21984b2ac7a750f] - src: avoid possible race during NodeBIO initialization (Anna Henningsen) #21984d85b0a3c10] - src: use smart pointers for NodeBIO (Anna Henningsen) #2198482e71dd8bd] - src: fix integer overflow in GetNow (Anatoli Papirovski) #222142737b46e16] - src: add READONLY_STRING_PROPERTY and simplify config (Jon Moss) #222228b5485dcf5] - src: fix up doc comment for experimental-worker bool (Anna Henningsen) #22165e90e56f4ca] - src: remove calls to deprecated v8 functions (NumberValue) (Ujjwal Sharma) #22094c09872b749] - src: remove unused env->vm_parsing_context_symbol (Jon Moss) #220346ca00d7044] - src: remove unused env strings (Jon Moss) #221370ca831a0ed] - src: clean up PackageConfig pseudo-boolean fields (Anna Henningsen) #2198700c33a5131] - src: clean up agent loop when exiting through destructor (Anna Henningsen) #21867ba480d33ce] - src: use only one tracing write fs req at a time (Anna Henningsen) #218676b58746b2e] - src: use unique_ptr for internal JSON trace writer (Anna Henningsen) #21867ce48936077] - src: plug trace file file descriptor leak (Anna Henningsen) #2186789e23021fb] - src: initialize file trace writer on tracing thread (Anna Henningsen) [#21867](https://github.com/src: refactor tracing code nodejs/node#21867)
56edd5fc5b] - src: close tracing event loop (Anna Henningsen) #218674c9c1bbc45] - src: fix tracing if cwd or file path is inaccessible (Anna Henningsen) #21867c101b396aa] - src: refactor default trace writer out of agent (Anna Henningsen) #21867daafe6c195] - src: refactor tracing agent code (Anna Henningsen) #218674379140dbf] - src: minor refactor of node_trace_events.cc (Anna Henningsen) #21867cde0e5f396] - src: reduce unnecessary includes (Anna Henningsen) #2186731e3e6f1f8] - stream: fix readable behavior for highWaterMark === 0 (Denys Otrishko) #216909d89b3c7ec] - test: rename some allegories (Vse Mozhet Byt) #223071d15f33277] - test: call gc() explicitly to avoid OOM (Refael Ackermann) #22301a7dad4565b] - test: move test-http-client-timeout-option-with-agent to sequential (Ouyang Yadong) #22083a414b0757a] - test: add test-http2-large-file sequential test (James M Snell) #2225401fe2cee5b] - test: fix error messages for OpenSSL-1.1.0i (Shigeki Ohtsu) #22318c145690aad] - test: improve test coverage for comparisons (Ruben Bridgewater) #22212bdc644f2ec] - test: remove common.fileExists() (Rich Trott) #22151bc1cb7b7fc] - test: handle errors correctly in GC http test (Ouyang Yadong) #22185cefc4a03cc] - test: remove second arg from assert.ifError() (Musa Hamwala) #22190b1cbbbc7af] - test: move require of https to after crypto check (Daniel Bevenius) #22148a6ab19a96a] - test: move require of http2 to after crypto check (Daniel Bevenius) #221487a4c7e6c82] - test: don't mask descriptor.enumerable (Thomas Leah) #221725018661a85] - test: remove common.fileExists() (Richard Lau) #2220077ce40fa03] - test: remove unused argument in assertion (yahavfuchs) #221136daa4f8797] - test: update postmortem metadata test (cjihrig) #2107916a929b867] - test: fix scriptParsed event expectations (Ingvar Stepanyan) #21079e58c17b849] - test: update certificates and private keys (Fedor Indutny) #22184d38ccaa421] - test: fix n-api addon build warnings (Kyle Farnung) #21808d66e52fb8e] - test: run ESM tests in parallel (Michaël Zasso) #219196cff57e98d] - test: fix incorrect file mode check (Timothy Gu) #22023dafaff3a5e] - test: remove unused config (Benjamin Gruenbaum) #21985a569ae4b44] - test: remove third argument from assert.strictEqual() (Rishabh Singh) #22051a60060b499] - test: remove third argument from call to assert.strictEqual() (Michael Sommer) #22047246a94f301] - test: see value of "hadError" in tls test (Oryan Moshe) #22069a40ee213b3] - test: improve reliability in http2-session-timeout (Rich Trott) #22026e2d97eeb65] - test: remove outdated documentation (Jon Moss) #2200994746d6a47] - test: remove outdated, non-functioning test (Anatoli Papirovski) #208940beffc0f3b] - test: remove test/gc, integrate into parallel (Anna Henningsen) #22001c2372eac16] - test: add tracing crash regression test (Eugene Ostroukhov) #218677e23080d45] - test: pass through stderr in benchmark tests (Anna Henningsen) #2186052020dc09a] - test: refactor test-http2-compat-serverresponse-finished.js (Anto Aravinth) #2192988665b3cef] - test,doc: fix async-hooks coverage doc for md lint (Rod Vagg) #22296d60b017135] - test,doc: adjust markdown table for linting (Rich Trott) #222218f56cc0321] - test,doc: adjust async-hooks coverage doc for lint (Rich Trott) #222215c41caa1cc] - test,doc: wrap common module md doc at 80 chars (Rich Trott) #2222121883be05d] - test,doc: fix lint error in test fixtures (Rich Trott) [#22221](https://github.com/nodejs/node/pull/22221)
ec2209dc8b] - tls: change var to const (Eugen Cazacu) #222192d1c1853e9] - tls: remove SLAB_BUFFER_SIZE (Anatoli Papirovski) #21199f989681e34] - tls: preallocate SSL cipher array (Tobias Nießen) #221366cd2d1dddc] - tools: fix header escaping regression (Sam Ruby) #2208480dd0445c6] - tools: add no-misleading-character-class ESLint rule (Vse Mozhet Byt) #22278bc35f17b7b] - tools: do not autolink section to itself (Vse Mozhet Byt) #22138950a4a9b91] - tools: update ESLint to 5.3.0 (Rich Trott) #221340c67d326dc] - tools: convert addon-verify to remark (Sam Ruby) #21978c85d00b786] - tools: produce JSON documentation using unified/remark/rehype (Sam Ruby) #21697f0c871b0c7] - tools: addmake format-cppto run clang-format on C++ diffs (Joyee Cheung) #219975a4abbadfe] - tools: update to using dmn 1.0.11 (Rich Trott) #220357a7c194f4e] - tools: fix docs and run known_issues by default (Jon Moss) #219104995b28a11] - tools,build: apply markdown linting to test dir (Rich Trott) #22221ad46cca104] - trace_events: add node.promises category, rejection counter (James M Snell) #22124b171fa2530] - util: improve display of iterators and weak entries (Ruben Bridgewater) #20961f1c22eaa56] - util,assert: fix boxed primitives bug (Ruben Bridgewater) #22243677d10cdd1] - worker: fix deadlock when calling terminate from exit handler (Anna Henningsen) #220734b0d2de5f4] - zlib: remove unused parameters (MaleDong) #22115The text was updated successfully, but these errors were encountered: