News from 2018
-
Node v9.11.1 (Current)
No additional commits.
An infrastructure issue caused a non-functioning msi installer for x64 to be promoted. The patch release is to ensure that all binaries and installers work as expected.
Windows 32-bit Installer: https://nodejs.org/dist/v9.11.1/node-v9.11.1-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v9.11.1/node-v9.11.1-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v9.11.1/win-x86/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v9.11.1/win-x64/node.exe
macOS 64-bit Installer: https://nodejs.org/dist/v9.11.1/node-v9.11.1.pkg
macOS 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-darwin-x64.tar.gz
Linux 32-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-x86.tar.xz
Linux 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-x64.tar.xz
Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-ppc64le.tar.xz
Linux s390x 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-s390x.tar.xz
AIX 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-aix-ppc64.tar.gz
SunOS 32-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-sunos-x86.tar.xz
SunOS 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-sunos-x64.tar.xz
ARMv6 32-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-armv6l.tar.xz
ARMv7 32-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-armv7l.tar.xz
ARMv8 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-arm64.tar.xz
Source Code: https://nodejs.org/dist/v9.11.1/node-v9.11.1.tar.gz
Other release files: https://nodejs.org/dist/v9.11.1/
Documentation: https://nodejs.org/docs/v9.11.1/api/ -
Node v9.11.0 (Current)
- deps:
- Updated ICU to 61.1 (Steven R. Loomis) #19621 Includes CLDR 33 (many new languages and data improvements).
- fs:
- Emit 'ready' event for
ReadStream
andWriteStream
(Sameer Srivastava) #19408
- Emit 'ready' event for
- n-api:
- Bump version of n-api supported (Michael Dawson) #19497
- net:
- Emit 'ready' event for
Socket
(Sameer Srivastava) #19408
- Emit 'ready' event for
- Added new collaborators
- mafintosh Mathias Buus
- deps:
-
Node v9.10.1 (Current)
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based environments. This has been fixed in our infrastructure and we are doing this release to ensure that the hosted binaries are adhering to our platform support contract.
-
Node v8.11.1 (LTS)
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based environments. This has been fixed in our infrastructure and we are doing this release to ensure that the hosted binaries are adhering to our platform support contract.
-
Node v6.14.1 (LTS)
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based environments. This has been fixed in our infrastructure and we are doing this release to ensure that the hosted binaries are adhering to our platform support contract.
-
Node v4.9.1 (Maintenance)
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based environments. This has been fixed in our infrastructure and we are doing this release to ensure that the hosted binaries are adhering to our platform support contract.
-
Node v9.10.0 (Current)
- Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser
Host
value that is either not subject to DNS resolution or matcheslocalhost
orlocalhost6
. - Fix for
'path'
module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted'path'
module functions. - Reject spaces in HTTP
Content-Length
header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces insideContent-Length
header values. Such values now lead to rejected connections in the same way as non-numeric values. Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.
cluster:
- Add support for
NODE_OPTIONS="--inspect"
(Sameer Srivastava) #19165
- Add support for
- crypto:
- Expose the public key of a certificate (Hannes Magnusson) #17690
- n-api:
- Add
napi_fatal_exception
to trigger anuncaughtException
in JavaScript (Mathias Buus) #19337
- Add
- path:
- Fix regression in
posix.normalize
(Michaël Zasso) #19520
- Fix regression in
- stream:
- Improve stream creation performance (Brian White) #19401
- Added new collaborators
- BethGriggs Beth Griggs
-
Node v8.11.0 (LTS)
- Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser
Host
value that is either not subject to DNS resolution or matcheslocalhost
orlocalhost6
. - Fix for
'path'
module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted'path'
module functions. - Reject spaces in HTTP
Content-Length
header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces insideContent-Length
header values. Such values now lead to rejected connections in the same way as non-numeric values. - Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.
-
Node v6.14.0 (LTS)
- Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser
Host
value that is either not subject to DNS resolution or matcheslocalhost
orlocalhost6
. - Fix for
'path'
module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted'path'
module functions. - Reject spaces in HTTP
Content-Length
header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces insideContent-Length
header values. Such values now lead to rejected connections in the same way as non-numeric values. - Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.
-
Node v4.9.0 (Maintenance)
- Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
- Fix for
'path'
module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX an Windows paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted'path'
module functions. - Reject spaces in HTTP
Content-Length
header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces insideContent-Length
header values. Such values now lead to rejected connections in the same way as non-numeric values. - Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.
- March 2018 Security Releases
- Node v9.9.0 (Current)
- Node v9.8.0 (Current)
- Node v8.10.0 (LTS)
- Node v6.13.1 (LTS)
- Node v9.7.1 (Current)
- Node v9.7.0 (Current)
- Node v9.6.1 (Current)
- Node v9.6.0 (Current)
- Node v6.13.0 (LTS)
- Node v9.5.0 (Current)
- Node v9.4.0 (Current)
- Meltdown and Spectre - Impact On Node.js
- Node v8.9.4 (LTS)
- Node v6.12.3 (LTS)