![]() ![]() - src: drop CNNIC+StartCom certificate whitelisting (Ben Noordhuis) #19322.- openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389.- inspector: check Host header (Ali Ijaz Sheikh).- inspector: minor adjustments (Eugene Ostroukhov).- deps: upgrade http-parser to v2.8.0 (Ben Noordhuis) nodejs-private/http-parser-private#1.- deps: reject interior blanks in Content-Length (Ben Noordhuis) nodejs-private/http-parser-private#1.- deps: upgrade openssl sources to 1.0.2o (Shigeki Ohtsu) #19638.- deps: copy all openssl header files to include dir (Shigeki Ohtsu) #19638.- deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389.- deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389.- deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836.- crypto: update root certificates (Ben Noordhuis) #19322.Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed. ![]() Such values now lead to rejected connections in the same way as non-numeric values. Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces inside Content-Length header values.Fix for 'path' module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.The inspector now only allows connections that have a browser Host value that is either not subject to DNS resolution or matches localhost or localhost6. Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access.Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.Node v8.11.0 (LTS) By Myles Borins, Notable Changes ![]()
0 Comments
Leave a Reply. |