Node v6.15.0 (LTS)

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

Node.js: Debugger port 5858 listens on any interface by default (CVE-2018-12120)

Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)

Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)

Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)

Node.js: HTTP request splitting (CVE-2018-12116)

OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)

OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)

Notable Changes

debugger : Backport of nodejs/node#8106 to prevent the debugger from listening on 0.0.0.0 . It now defaults to 127.0.0.1 . Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis).

: Backport of nodejs/node#8106 to prevent the debugger from listening on . It now defaults to . Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis). deps : Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407

: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407 http : Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina) A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout . Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout() , this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina) Two-byte characters are now strictly disallowed for the path option in HTTP client requests. Paths containing characters outside of the range \u0021 - \u00ff will now be rejected with a TypeError . This behavior can be reverted if necessary by supplying the --security-revert=CVE-2018-12116 command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by Arkadiy Tetelman (Lob), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina)

: url: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol. Reported by Martin Bajanik (Kentico). (CVE-2018-12123 / Matteo Collina)

Commits

[ 4beba664e1 ] - deps : add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/node#1836

] - : add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/node#1836 [ 049fe7978f ] - deps : fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) nodejs/node#1389

] - : fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) nodejs/node#1389 [ e9becec84d ] - deps : fix openssl assembly error on ia32 win32 (Fedor Indutny) nodejs/node#1389

] - : fix openssl assembly error on ia32 win32 (Fedor Indutny) nodejs/node#1389 [ 78b3a5b2f7 ] - deps : copy all openssl header files to include dir (Sam Roberts) #24530

] - : copy all openssl header files to include dir (Sam Roberts) #24530 [ 6120f2429e ] - deps : upgrade openssl sources to 1.0.2q (Sam Roberts) #24530

] - : upgrade openssl sources to 1.0.2q (Sam Roberts) #24530 [ 92231a56d9 ] - deps,http : http_parser set max header size to 8KB (Matteo Collina) nodejs-private/node-private#143

] - : http_parser set max header size to 8KB (Matteo Collina) nodejs-private/node-private#143 [ dd20c0186f ] - (SEMVER-MINOR) http : add --security-revert for CVE-2018-12116 (Matteo Collina) nodejs-private/node-private#146

] - : add --security-revert for CVE-2018-12116 (Matteo Collina) nodejs-private/node-private#146 [ 811b63c794 ] - (SEMVER-MINOR) http : disallow two-byte characters in URL path (Benno Fünfstück) nodejs-private/node-private#146

] - : disallow two-byte characters in URL path (Benno Fünfstück) nodejs-private/node-private#146 [ 618eebdd17 ] - (SEMVER-MINOR) http,https : protect against slow headers attack (Matteo Collina) nodejs-private/node-private#152

] - : protect against slow headers attack (Matteo Collina) nodejs-private/node-private#152 [ b78d403da3 ] - openssl : fix keypress requirement in apps on win32 (Shigeki Ohtsu) nodejs/node#1389

] - : fix keypress requirement in apps on win32 (Shigeki Ohtsu) nodejs/node#1389 [ 35344e87bf ] - src : minor cleanup for node_revert (James M Snell) #14864

] - : minor cleanup for node_revert (James M Snell) #14864 [ a9791c9090 ] - src : make debugger listen on 127.0.0.1 by default (Ben Noordhuis) nodejs-private/node-private#148

] - : make debugger listen on 127.0.0.1 by default (Ben Noordhuis) nodejs-private/node-private#148 [ 9c268d0492 ] - url: avoid hostname spoofing w/ javascript protocol (Matteo Collina) nodejs-private/node-private#145

Windows 32-bit Installer: https://nodejs.org/dist/v6.15.0/node-v6.15.0-x86.msi

Windows 64-bit Installer: https://nodejs.org/dist/v6.15.0/node-v6.15.0-x64.msi

Windows 32-bit Binary: https://nodejs.org/dist/v6.15.0/win-x86/node.exe

Windows 64-bit Binary: https://nodejs.org/dist/v6.15.0/win-x64/node.exe

macOS 64-bit Installer: https://nodejs.org/dist/v6.15.0/node-v6.15.0.pkg

macOS 64-bit Binary: https://nodejs.org/dist/v6.15.0/node-v6.15.0-darwin-x64.tar.gz

Linux 32-bit Binary: https://nodejs.org/dist/v6.15.0/node-v6.15.0-linux-x86.tar.xz

Linux 64-bit Binary: https://nodejs.org/dist/v6.15.0/node-v6.15.0-linux-x64.tar.xz

Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v6.15.0/node-v6.15.0-linux-ppc64le.tar.xz

Linux PPC BE 64-bit Binary: https://nodejs.org/dist/v6.15.0/node-v6.15.0-linux-ppc64.tar.xz

Linux s390x 64-bit Binary: https://nodejs.org/dist/v6.15.0/node-v6.15.0-linux-s390x.tar.xz

AIX 64-bit Binary: https://nodejs.org/dist/v6.15.0/node-v6.15.0-aix-ppc64.tar.gz

SmartOS 32-bit Binary: https://nodejs.org/dist/v6.15.0/node-v6.15.0-sunos-x86.tar.xz

SmartOS 64-bit Binary: https://nodejs.org/dist/v6.15.0/node-v6.15.0-sunos-x64.tar.xz

ARMv6 32-bit Binary: https://nodejs.org/dist/v6.15.0/node-v6.15.0-linux-armv6l.tar.xz

ARMv7 32-bit Binary: https://nodejs.org/dist/v6.15.0/node-v6.15.0-linux-armv7l.tar.xz

ARMv8 64-bit Binary: https://nodejs.org/dist/v6.15.0/node-v6.15.0-linux-arm64.tar.xz

Source Code: https://nodejs.org/dist/v6.15.0/node-v6.15.0.tar.gz

Other release files: https://nodejs.org/dist/v6.15.0/

Documentation: https://nodejs.org/docs/v6.15.0/api/

SHASUMS