diff --git a/CHANGELOG.md b/CHANGELOG.md index ab99af5f92621a..28fab58bf5b439 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,7 +31,8 @@ release. -10.13.0
+10.14.0
+10.13.0
10.12.0
10.11.0
10.10.0
diff --git a/doc/api/http.md b/doc/api/http.md index a06d0e44bf9e83..c19fff4916bffd 100644 --- a/doc/api/http.md +++ b/doc/api/http.md @@ -943,7 +943,7 @@ Limits maximum incoming headers count. If set to 0, no limit will be applied. ### server.headersTimeout * {number} **Default:** `40000` diff --git a/doc/changelogs/CHANGELOG_V10.md b/doc/changelogs/CHANGELOG_V10.md index 244247586955b2..333638e5c5ad90 100644 --- a/doc/changelogs/CHANGELOG_V10.md +++ b/doc/changelogs/CHANGELOG_V10.md @@ -5,11 +5,15 @@ - + + - +
CurrentLTS 'Dubnium'Current
+ +10.14.0
10.13.0
+		 10.12.0
10.11.0
10.10.0
@@ -41,6 +45,41 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + +## 2018-11-27, Version 10.14.0 'Dubnium' (LTS), @rvagg + +This is a security release. All Node.js users should consult the security release summary at: + + https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ + +for details on patched vulnerabilities. + +Fixes for the following CVEs are included in this release: + + * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121) + * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js) + * Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123) + * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734) + * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735) + +### Notable Changes + +* **deps**: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735 +* **http**: + * Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina) + * A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina) +* **url**: Fix a bug that would allow a hostname being spoofed when parsing URLs with `url.parse()` with the `'javascript:'` protocol. Reported by [Martin Bajanik](https://twitter.com/_bayotop) ([Kentico](https://kenticocloud.com/)). (CVE-2018-12123 / Matteo Collina) + +### Commits + +* [[`38ca8baf81`](https://github.com/nodejs/node/commit/38ca8baf81)] - **deps**: update openssl 1.1.0 upgrade docs (Sam Roberts) [#24523](https://github.com/nodejs/node/pull/24523) +* [[`241ba81a5b`](https://github.com/nodejs/node/commit/241ba81a5b)] - **deps**: update archs files for OpenSSL-1.1.0 (Sam Roberts) [#24523](https://github.com/nodejs/node/pull/24523) +* [[`acc40efa90`](https://github.com/nodejs/node/commit/acc40efa90)] - **deps**: add s390 asm rules for OpenSSL-1.1.0 (Shigeki Ohtsu) [#24523](https://github.com/nodejs/node/pull/24523) +* [[`7efd184bb1`](https://github.com/nodejs/node/commit/7efd184bb1)] - **deps**: upgrade openssl sources to 1.1.0j (Sam Roberts) [#24523](https://github.com/nodejs/node/pull/24523) +* [[`a8532d4d23`](https://github.com/nodejs/node/commit/a8532d4d23)] - **deps,http**: http\_parser set max header size to 8KB (Matteo Collina) [nodejs-private/node-private#143](https://github.com/nodejs-private/node-private/pull/143) +* [[`eb43bc04b1`](https://github.com/nodejs/node/commit/eb43bc04b1)] - **(SEMVER-MINOR)** **http,https**: protect against slow headers attack (Matteo Collina) [nodejs-private/node-private#150](https://github.com/nodejs-private/node-private/pull/150) +* [[`8b1405ee01`](https://github.com/nodejs/node/commit/8b1405ee01)] - **url**: avoid hostname spoofing w/ javascript protocol (Matteo Collina) [nodejs-private/node-private#145](https://github.com/nodejs-private/node-private/pull/145) + ## 2018-10-30, Version 10.13.0 'Dubnium' (LTS), @MylesBorins @@ -1433,7 +1472,7 @@ Fixes for the following CVEs are included in this release: * [[`6aade4a765`](https://github.com/nodejs/node/commit/6aade4a765)] - **http**: remove a pair of outdated comments (Mark S. Everitt) [#21214](https://github.com/nodejs/node/pull/21214) * [[`bcaf59c739`](https://github.com/nodejs/node/commit/bcaf59c739)] - **http2**: fix memory leak for uncommon headers (Anna Henningsen) [#21336](https://github.com/nodejs/node/pull/21336) * [[`dee250fd77`](https://github.com/nodejs/node/commit/dee250fd77)] - **http2**: safer Http2Session destructor (Anatoli Papirovski) [#21194](https://github.com/nodejs/node/pull/21194) -* [[`296fd57324`](https://github.com/nodejs/node/commit/296fd57324)] - **inspector**: stop dragging platform pointer (Eugene Ostroukhov) +* [[`296fd57324`](https://github.com/nodejs/node/commit/296fd57324)] - **inspector**: stop dragging platform pointer (Eugene Ostroukhov) * [[`fb71337bdf`](https://github.com/nodejs/node/commit/fb71337bdf)] - **(SEMVER-MINOR)** **lib**: rename checkIsArrayBufferView() (Ben Noordhuis) [#20816](https://github.com/nodejs/node/pull/20816) * [[`f3570f201b`](https://github.com/nodejs/node/commit/f3570f201b)] - **(SEMVER-MINOR)** **lib**: replace checkUint() with validateInt32() (Ben Noordhuis) [#20816](https://github.com/nodejs/node/pull/20816) * [[`b4b7d368be`](https://github.com/nodejs/node/commit/b4b7d368be)] - **lib**: unmask mode\_t values with 0o777 (Joyee Cheung) [#20975](https://github.com/nodejs/node/pull/20975) diff --git a/src/node_version.h b/src/node_version.h index b8cf9aa6d0408a..27d0f09ce41909 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -23,13 +23,13 @@ #define SRC_NODE_VERSION_H_ #define NODE_MAJOR_VERSION 10 -#define NODE_MINOR_VERSION 13 -#define NODE_PATCH_VERSION 1 +#define NODE_MINOR_VERSION 14 +#define NODE_PATCH_VERSION 0 #define NODE_VERSION_IS_LTS 1 #define NODE_VERSION_LTS_CODENAME "Dubnium" -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)