Node.js 8.11.3 和 10.4.1 发布了,更新内容如下:
8.11.3
Notable Changes
buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
http2
(CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
(CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
Commits
[
e1ff7c3cbc
] - deps: update to nghttp2 1.32.0 (James M Snell) nodejs-private/node-private#125[
c5a2748d8f
] - doc: buffer.fill() can zero-fill on invalid input (Сковорода Никита Андреевич) nodejs-private/node-private#119[
354f2d97ff
] - http2: fixup http2stream cleanup and other nits (James M Snell) nodejs-private/node-private#123[
25c5111ca4
] - src: avoid hanging on Buffer#fill 0-length input (Сковорода Никита Андреевич) nodejs-private/node-private#119[
10c5adf19b
] - test: addRealloc()
shrink after reading stream data test (Anna Henningsen) nodejs-private/node-private#132[
bc91220ca2
] - test: add tls write error regression test (Shigeki Ohtsu) nodejs-private/node-private#131[
acd11b01c4
] - test: add regression test for nghttp2 CVE-2018-1000168 (James M Snell) nodejs-private/node-private#125
下载地址:
10.4.1
Notable Changes
Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.
http2
(CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
(CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving
n-api: Prevent use-after-free in napi_delete_async_work
Commits
[
1bbfe9a72b
] - build: fix configure script for double-digits (Misty De Meo) #21183[
4c90ee8fc6
] - deps: update to nghttp2 1.32.0 (James M Snell) nodejs-private/node-private#117[
e5c2f575b1
] - deps: patch V8 to 6.7.288.45 (Michaël Zasso) #21192[
03ded94ffe
] - deps: patch V8 to 6.7.288.44 (Michaël Zasso) #21146[
4de7e0c96c
] - deps,npm: float node-gyp patch on npm (Rich Trott) #21239[
92d7b6c9a0
] - fs: fix promises reads with pos > 4GB (cjihrig) #21148[
8681402228
] - http2: fixup http2stream cleanup and other nits (James M Snell) nodejs-private/node-private#115[
53f8563353
] - n-api: back up env before async work finalize (Gabriel Schulhof) #21129[
9ba8ed1371
] - src: re-addRealloc()
shrink after reading stream data (Anna Henningsen) nodejs-private/node-private#128[
8e979482fa
] - Revert "src: restore stdio on program exit" (Evan Lucas) #21257[
cb5ec64956
] - src: reset TTY mode before cleaning up resources (Anna Henningsen) #21257[
ae5567eaea
] - test: add regression test for nghttp2 CVE-2018-1000168 (James M Snell) nodejs-private/node-private#117[
e87bf625dd
] - test: add tls write error regression test (Shigeki Ohtsu) nodejs-private/node-private#127[
eea2bce58d
] - tls: fix SSL write error handling (Anna Henningsen) nodejs-private/node-private#127[
1e49eadd68
] - tools,gyp: fix regex for version matching (Rich Trott) #21216
下载地址:
引用来自“高久峰”的评论
node之父都说这东西设计错误,无力回天,怎么还更新