2018-06-12, Version 9.11.2 (Current), @evanlucas
·
23274 commits
to main
since this release
Notable Changes
- Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.
- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
- http2
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
- tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving
Commits
- [
65ed3213ca] - deps: update to nghttp2 1.32.0 (James M Snell) nodejs-private/node-private#124 - [
f0af3b09bd] - doc: buffer.fill() can zero-fill on invalid input (Сковорода Никита Андреевич) nodejs-private/node-private#120 - [
828159fcd4] - http2: fixup http2stream cleanup and other nits (James M Snell) nodejs-private/node-private#122 - [
be103eba41] - src: re-addRealloc()shrink after reading stream data (Anna Henningsen) nodejs-private/node-private#129 - [
555696df51] - src: avoid hanging on Buffer#fill 0-length input (Сковорода Никита Андреевич) nodejs-private/node-private#120 - [
7684ba63c4] - test: add tls write error regression test (Shigeki Ohtsu) nodejs-private/node-private#130 - [
0ab90acaf3] - test: add regression test for nghttp2 CVE-2018-1000168 (James M Snell) nodejs-private/node-private#124 - [
84f23d2f12] - tls: fix SSL write error handling (Anna Henningsen) nodejs-private/node-private#130