2018-08-15, Version 10.9.0 (Current), @rvagg
This is a security release. All Node.js users should consult the security release summary at:
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
- CVE-2018-0732 (OpenSSL)
- CVE-2018-7166 (Node.js)
- CVE-2018-12115 (Node.js)
Notable Changes
- buffer:
- Fix out-of-bounds (OOB) write in
Buffer.write()
for UCS-2 encoding (CVE-2018-12115) - Fix unintentional exposure of uninitialized memory in
Buffer.alloc()
(CVE-2018-7166)
- Fix out-of-bounds (OOB) write in
- deps:
- Upgrade to OpenSSL 1.1.0i, fixing:
- Client DoS due to large DH parameter (CVE-2018-0732)
- ECDSA key extraction via local side-channel (CVE not assigned)
- Upgrade V8 from 6.7 to 6.8 (Michaël Zasso) #21079
- Memory reduction and performance improvements, details at: https://v8project.blogspot.com/2018/06/v8-release-68.html
- Upgrade to OpenSSL 1.1.0i, fixing:
- http:
http.get()
andhttp.request()
(andhttps
variants) can now accept three arguments to allow for aURL
and anoptions
object (Sam Ruby) #21616 - Added new collaborators
- Sam Ruby (https://github.com/rubys)
- George Adams (https://github.com/gdams)
Commits
- [
58a9ae118e
] - assert: fix loose assert with map and set (Ruben Bridgewater) #22145 - [
1c577016b8
] - benchmark: improve assert benchmarks (Ruben Bridgewater) #22211 - [
734323d9eb
] - buffer: stop alloc() uninitialized memory return (cjihrig) nodejs-private/node-private#137 - [
2c4c17b708
] - buffer: avoid overrun on UCS-2 string write (Rod Vagg) nodejs-private/node-private#138 - [
6622ac798d
] - buffer: use FastBuffer when fill is set to 0 (Сковорода Никита Андреевич) #21989 - [
f506a5f46e
] - build: make --shared-[...]-path work on Windows (Jeremy Apthorp) #21530 - [
1be6fb93c8
] - build: add CONFIG_FLAGS to with-code-cache target (Daniel Bevenius) [#22207](https
://github.com//pull/22207) - [
4520bb8a73
] - build: make tools/doc/node_modules non-phony (Daniel Bevenius) #22189 - [
c42ff4ebd8
] - build: add crypto check to build targets (Daniel Bevenius) #22148 - [
cdb8c1b44d
] - build: extract common parts from addon .buildstamp (Daniel Bevenius) #22171 - [
1e7a8c3016
] - build: reset embedder string to "-node.0" (Michaël Zasso) #21079 - [
86ab2c041e
] - crypto: remove unused SSLWrap handle methods (Jon Moss) #22216 - [
9212875406
] - crypto: simplify state failure handling (Tobias Nießen) #22131 - [
916a1d59f0
] - crypto: simplify Hmac::HmacUpdate (Tobias Nießen) #22132 - [
2dc7f17e8b
] - (SEMVER-MINOR) crypto: add better scrypt option aliases (Anna Henningsen) #21525 - [
fcf422e921
] - deps: backport c608122b from upstream (Ruben Bridgewater) #22210 - [
a07ccaeb19
] - deps: update archs files for OpenSSL-1.1.0i (Shigeki Ohtsu) #22318 - [
473996c90f
] - deps: add s390 asm rules for OpenSSL-1.1.0 (Shigeki Ohtsu) #19794 - [
05e48fd018
] - deps: upgrade openssl sources to 1.1.0i (Shigeki Ohtsu) #22318 - [
f8bc5d6320
] - deps: cherry-pick 09bca09 from upstream V8 (Matheus Marchini) #22068 - [
c69fdc9d5f
] - (SEMVER-MINOR) deps: remove thread_local to fix V8 compilation (Peter Marshall) #21668 - [
981fff714e
] - deps: refactor v8.gyp (Michaël Zasso) #22017 - [
5fa3ffad20
] - (SEMVER-MINOR) deps: patch the V8 API to be backwards compatible with 6.7 (Peter Marshall) #21668 - [
6eed40acbb
] - deps: cherry-pick 804a693 from upstream V8 (Matheus Marchini) #21855 - [
7eccaf86d6
] - deps: V8: Backport of 0dd3390 from upstream (James M Snell) #21899 - [
328c89925a
] - deps: cherry-pick 907d7bc from upstream V8 (Michaël Zasso) #21838 - [
afacfd2992
] - deps: cherry-pick 2075910 from upstream V8 (Michaël Zasso) #21838 - [
4f24256274
] - deps: cherry-pick 555c811 from upstream V8 (Anna Henningsen) #21741 - [
7b4272a14d
] - deps: cherry-pick 477df06 from upstream v8 (Gus Caplan) #21644 - [
a0bf7aa07c
] - deps: cherry-pick 70c4340 from upstream V8 (Matheus Marchini) #21126 - [
4994ac65b0
] - deps: cherry-pick acc336c from upstream V8 (Matheus Marchini) #21126 - [
be569f82f1
] - deps: cherry-pick b20faff from upstream V8 (Matheus Marchini) #21126 - [
6df5feb13f
] - deps: cherry-pick aa6ce3e from upstream V8 (Michaël Zasso) #21079 - [
8b9a956f9e
] - deps: cherry-pick 5dd3395 from upstream V8 (Matheus Marchini) #21386 - [
548008a6f6
] - deps: update v8.gyp and run Torque (Michaël Zasso) #21079 - [
9c74271a96
] - deps: update V8 to 6.8.275.24 (Michaël Zasso) #21079 - [
a3f3c40966
] - doc: simplify urlObject.hash text (Rich Trott) #22326 - [
d2848697dc
] - doc: simplify urlObject.hash description (Rich Trott) #22326 - [
6d29986f4d
] - doc: simplify format description of urlObject.auth (Rich Trott) #22324 - [
a658a4df34
] - doc: remove redundant explanation of format (Rich Trott) #22324 - [
3236697c0b
] - doc: use italics for words-as-words (Rich Trott) #22324 - [
da76b61f59
] - doc: bump ICU version to avoid confusion (Csaba Palfi) #22313 - [
e04b0532bf
] - doc: document 'inherit' option for stdio (non-shorthand) (James Bromwell) #22309 - [
882c2c017a
] - doc: clarify http2 docs around class exports (James M Snell) #22247 - [
dd96ba5b89
] - doc: add multiple issue templates for GitHub (Tobias Nießen) #22215 - [
d95a22c304
] - doc: declare all parameter types (Sam Ruby) #21782 - [
9e25028981
] - doc: add missing option for child_process.spawnSync() (James Bromwell) #22231 - [
ef8d0fc490
] - doc: list encodings supported by buffer.transcode (James M Snell) #22263 - [
1b41cd44b5
] - doc: discuss special protocol handling (James M Snell) #22261 - [
cea8d4f4e9
] - doc: replace _WG_ with _team_ (Rich Trott) #22183 - [
fafdae4ce1
] - doc: add subprocess.ref() and subprocess.unref() (Thomas Hunter II) #22220 - [
d4f3615aaf
] - doc: add gdams to collaborators (George Adams) [#22236](https://github.com/nodejs/n
ode/pull/22236) - [
e75885f2e6
] - doc: specifyoptions
parameter type in zlib.md (Vse Mozhet Byt) #21920 - [
40af9767a2
] - doc: declare all parameter types (Sam Ruby) #21782 - [
38dd407c83
] - doc: remove unused error codes from errors.md (Сковорода Никита Андреевич) #21491 - [
6c7733f58a
] - doc: update recommendations for createCipher (Tobias Nießen) #22087 - [
34300aaaa4
] - doc: correct crypto.randomFill() and randomFillSync() (Gerhard Stoebich) #21550 - [
28870a46ac
] - doc: add rubys to collaborators (Sam Ruby) #22109 - [
d2ad9a2c13
] - doc: fix return type of server.address() (Weijia Wang) #22043 - [
168abb5801
] - doc: rename stackStartFunction in assert.md (Eugene Y. Q. Shen) #22077 - [
d364f9c8e7
] - doc: fix changelog for v10.8.0 (Michaël Zasso) #22072 - [
abac0c56b8
] - doc: mark DEP0004 and DEP0042 as End-of-Life (Jon Moss) #22033 - [
c6a56ae23e
] - doc: correct grammatical error in BUILDING.md (Brandon Lee) #22067 - [
29bc55320c
] - doc: fixup process.binding deprecation code (James M Snell) #22062 - [
ec9d529a32
] - doc: documentation deprecation of process.binding (James M Snell) #22004 - [
37369eba38
] - (SEMVER-MINOR) http: allow url and options to be passed to http*.request and http*.get (Sam Ruby) #21616 - [
1ca46ab6f4
] - http,tls: name anonymous callbacks (Marco Levrero) #21412 - [
8d226c6a79
] - http2: correcting the heading format (Anto Aravinth) #22262 - [
7223a91a50
] - http2: explicitly disallow nested push streams (James M Snell) #22245 - [
cee78bf7a2
] - http2: avoid race condition in OnHeaderCallback (James M Snell) #22256 - [
fcca2f7e49
] - http2: removestreamError
from docs (James M Snell) #22246 - [
2bf9a4a09e
] - https: allow url and options to be passed to https.request (Sam Ruby) #22003 - [
4c5dc6e012
] - inspector: tie objects lifetime to the thread they belong to (Eugene Ostroukhov) #22242 - [
39898695b6
] - inspector: add inspector_protocol as a direct dependency (Andrey Lushnikov) #21975 - [
311ec12702
] - inspector: fixed V8InspectorClient::currentTimeMS (Aleksey Kozyatinskiy) #21917 - [
8f7e37337f
] - lib: remove unused filterInternalStackFrames param (MaleDong) #22267 - [
3f729aac20
] - lib: extract validateString validator (Jon Moss) #22101 - [
f570c19c89
] - perf_hooks: avoid memory leak on gc observer (James M Snell) #22241 - [
76a65921d3
] - readline,zlib: named anonymous functions (Anto Aravinth) #21792 - [
e4f346892c
] - repl: support mult-line string-keyed objects (Sam Ruby) #21805 - [
d0b0ea971a
] - src: remove unnecessary writes in tls_wrap.cc (Anna Henningsen) #21984 - [
b2ac7a750f
] - src: avoid possible race during NodeBIO initialization (Anna Henningsen) #21984 - [
d85b0a3c10
] - src: use smart pointers for NodeBIO (Anna Henningsen) #21984 - [
82e71dd8bd
] - src: fix integer overflow in GetNow (Anatoli Papirovski) #22214 - [
2737b46e16
] - src: add READONLY_STRING_PROPERTY and simplify config (Jon Moss) #22222 - [
8b5485dcf5
] - src: fix up doc comment for experimental-worker bool (Anna Henningsen) #22165 - [
e90e56f4ca
] - src: remove calls to deprecated v8 functions (NumberValue) (Ujjwal Sharma) #22094 - [
c09872b749
] - src: remove unused env->vm_parsing_context_symbol (Jon Moss) #22034 - [
6ca00d7044
] - src: remove unused env strings (Jon Moss) #22137 - [
0ca831a0ed
] - src: clean up PackageConfig pseudo-boolean fields (Anna Henningsen) #21987 - [
00c33a5131
] - src: clean up agent loop when exiting through destructor (Anna Henningsen) #21867 - [
ba480d33ce
] - src: use only one tracing write fs req at a time (Anna Henningsen) #21867 - [
6b58746b2e
] - src: use unique_ptr for internal JSON trace writer (Anna Henningsen) #21867 - [
ce48936077
] - src: plug trace file file descriptor leak (Anna Henningsen) #21867 - [
89e23021fb
] - src: initialize file trace writer on tracing thread (Anna Henningsen) [#21867](http
s://github.com//pull/21867) - [
56edd5fc5b
] - src: close tracing event loop (Anna Henningsen) #21867 - [
4c9c1bbc45
] - src: fix tracing if cwd or file path is inaccessible (Anna Henningsen) #21867 - [
c101b396aa
] - src: refactor default trace writer out of agent (Anna Henningsen) #21867 - [
daafe6c195
] - src: refactor tracing agent code (Anna Henningsen) #21867 - [
4379140dbf
] - src: minor refactor of node_trace_events.cc (Anna Henningsen) #21867 - [
cde0e5f396
] - src: reduce unnecessary includes (Anna Henningsen) #21867 - [
31e3e6f1f8
] - stream: fix readable behavior for highWaterMark === 0 (Denys Otrishko) #21690 - [
9d89b3c7ec
] - test: rename some allegories (Vse Mozhet Byt) #22307 - [
1d15f33277
] - test: call gc() explicitly to avoid OOM (Refael Ackermann) #22301 - [
a7dad4565b
] - test: move test-http-client-timeout-option-with-agent to sequential (Ouyang Yadong) #22083 - [
a414b0757a
] - test: add test-http2-large-file sequential test (James M Snell) #22254 - [
01fe2cee5b
] - test: fix error messages for OpenSSL-1.1.0i (Shigeki Ohtsu) #22318 - [
c145690aad
] - test: improve test coverage for comparisons (Ruben Bridgewater) #22212 - [
bdc644f2ec
] - test: remove common.fileExists() (Rich Trott) #22151 - [
bc1cb7b7fc
] - test: handle errors correctly in GC http test (Ouyang Yadong) #22185 - [
cefc4a03cc
] - test: remove second arg from assert.ifError() (Musa Hamwala) #22190 - [
b1cbbbc7af
] - test: move require of https to after crypto check (Daniel Bevenius) #22148 - [
a6ab19a96a
] - test: move require of http2 to after crypto check (Daniel Bevenius) #22148 - [
7a4c7e6c82
] - test: don't mask descriptor.enumerable (Thomas Leah) #22172 - [
5018661a85
] - test: remove common.fileExists() (Richard Lau) #22200 - [
77ce40fa03
] - test: remove unused argument in assertion (yahavfuchs) #22113 - [
6daa4f8797
] - test: update postmortem metadata test (cjihrig) #21079 - [
16a929b867
] - test: fix scriptParsed event expectations (Ingvar Stepanyan) #21079 - [
e58c17b849
] - test: update certificates and private keys (Fedor Indutny) #22184 - [
d38ccaa421
] - test: fix n-api addon build warnings (Kyle Farnung) #21808 - [
d66e52fb8e
] - test: run ESM tests in parallel (Michaël Zasso) #21919 - [
6cff57e98d
] - test: fix incorrect file mode check (Timothy Gu) #22023 - [
dafaff3a5e
] - test: remove unused config (Benjamin Gruenbaum) #21985 - [
a569ae4b44
] - test: remove third argument from assert.strictEqual() (Rishabh Singh) #22051 - [
a60060b499
] - test: remove third argument from call to assert.strictEqual() (Michael Sommer) #22047 - [
246a94f301
] - test: see value of "hadError" in tls test (Oryan Moshe) #22069 - [
a40ee213b3
] - test: improve reliability in http2-session-timeout (Rich Trott) #22026 - [
e2d97eeb65
] - test: remove outdated documentation (Jon Moss) #22009 - [
94746d6a47
] - test: remove outdated, non-functioning test (Anatoli Papirovski) #20894 - [
0beffc0f3b
] - test: remove test/gc, integrate into parallel (Anna Henningsen) #22001 - [
c2372eac16
] - test: add tracing crash regression test (Eugene Ostroukhov) #21867 - [
7e23080d45
] - test: pass through stderr in benchmark tests (Anna Henningsen) #21860 - [
52020dc09a
] - test: refactor test-http2-compat-serverresponse-finished.js (Anto Aravinth) #21929 - [
88665b3cef
] - test,doc: fix async-hooks coverage doc for md lint (Rod Vagg) #22296 - [
d60b017135
] - test,doc: adjust markdown table for linting (Rich Trott) #22221 - [
8f56cc0321
] - test,doc: adjust async-hooks coverage doc for lint (Rich Trott) #22221 - [
5c41caa1cc
] - test,doc: wrap common module md doc at 80 chars (Rich Trott) #22221 - [
21883be05d
] - test,doc: fix lint error in test fixtures (Rich Trott) [#22221](https://github.com/
/pull/22221) - [
ec2209dc8b
] - tls: change var to const (Eugen Cazacu) #22219 - [
2d1c1853e9
] - tls: remove SLAB_BUFFER_SIZE (Anatoli Papirovski) #21199 - [
f989681e34
] - tls: preallocate SSL cipher array (Tobias Nießen) #22136 - [
6cd2d1dddc
] - tools: fix header escaping regression (Sam Ruby) #22084 - [
80dd0445c6
] - tools: add no-misleading-character-class ESLint rule (Vse Mozhet Byt) #22278 - [
bc35f17b7b
] - tools: do not autolink section to itself (Vse Mozhet Byt) #22138 - [
950a4a9b91
] - tools: update ESLint to 5.3.0 (Rich Trott) #22134 - [
0c67d326dc
] - tools: convert addon-verify to remark (Sam Ruby) #21978 - [
c85d00b786
] - tools: produce JSON documentation using unified/remark/rehype (Sam Ruby) #21697 - [
f0c871b0c7
] - tools: addmake format-cpp
to run clang-format on C++ diffs (Joyee Cheung) #21997 - [
5a4abbadfe
] - tools: update to using dmn 1.0.11 (Rich Trott) #22035 - [
7a7c194f4e
] - tools: fix docs and run known_issues by default (Jon Moss) #21910 - [
4995b28a11
] - tools,build: apply markdown linting to test dir (Rich Trott) #22221 - [
ad46cca104
] - trace_events: add node.promises category, rejection counter (James M Snell) #22124 - [
b171fa2530
] - util: improve display of iterators and weak entries (Ruben Bridgewater) #20961 - [
f1c22eaa56
] - util,assert: fix boxed primitives bug (Ruben Bridgewater) #22243 - [
677d10cdd1
] - worker: fix deadlock when calling terminate from exit handler (Anna Henningsen) #22073 - [
4b0d2de5f4
] - zlib: remove unused parameters (MaleDong) #22115