Node v8.14.0 (LTS)

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)

Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)

Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)

Node.js: HTTP request splitting (CVE-2018-12116)

OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)

OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)

Notable Changes

deps : Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407

: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407 http : Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina) A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout . Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout() , this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina) Two-byte characters are now strictly disallowed for the path option in HTTP client requests. Paths containing characters outside of the range \u0021 - \u00ff will now be rejected with a TypeError . This behavior can be reverted if necessary by supplying the --security-revert=CVE-2018-12116 command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by Arkadiy Tetelman (Lob), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina)

: url: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol. Reported by Martin Bajanik (Kentico). (CVE-2018-12123 / Matteo Collina)

Commits

[ add20f373c ] - deps : add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/node#1836

] - : add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/node#1836 [ c4e382cce3 ] - deps : fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) nodejs/node#1389

] - : fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) nodejs/node#1389 [ f1d1f12519 ] - deps : fix openssl assembly error on ia32 win32 (Fedor Indutny) nodejs/node#1389

] - : fix openssl assembly error on ia32 win32 (Fedor Indutny) nodejs/node#1389 [ 69037ad5c4 ] - deps : copy all openssl header files to include dir (Sam Roberts) #24530

] - : copy all openssl header files to include dir (Sam Roberts) #24530 [ f5b34336bb ] - deps : upgrade openssl sources to 1.0.2q (Sam Roberts) #24530

] - : upgrade openssl sources to 1.0.2q (Sam Roberts) #24530 [ 93dba83fb0 ] - deps,http : http_parser set max header size to 8KB (Matteo Collina) nodejs-private/node-private#143

] - : http_parser set max header size to 8KB (Matteo Collina) nodejs-private/node-private#143 [ 576038fb61 ] - (SEMVER-MINOR) http : add --security-revert for CVE-2018-12116 (Matteo Collina) nodejs-private/node-private#146

] - : add --security-revert for CVE-2018-12116 (Matteo Collina) nodejs-private/node-private#146 [ 513e9747a2 ] - (SEMVER-MINOR) http : disallow two-byte characters in URL path (Benno Fünfstück) nodejs-private/node-private#146

] - : disallow two-byte characters in URL path (Benno Fünfstück) nodejs-private/node-private#146 [ 696f063c5e ] - (SEMVER-MINOR) http,https : protect against slow headers attack (Matteo Collina) nodejs-private/node-private#151

] - : protect against slow headers attack (Matteo Collina) nodejs-private/node-private#151 [ 7f362a11ee ] - openssl : fix keypress requirement in apps on win32 (Shigeki Ohtsu) nodejs/node#1389

] - : fix keypress requirement in apps on win32 (Shigeki Ohtsu) nodejs/node#1389 [ 53a6e4eb20 ] - url: avoid hostname spoofing w/ javascript protocol (Matteo Collina) nodejs-private/node-private#145

Windows 32-bit Installer: https://nodejs.org/dist/v8.14.0/node-v8.14.0-x86.msi

Windows 64-bit Installer: https://nodejs.org/dist/v8.14.0/node-v8.14.0-x64.msi

Windows 32-bit Binary: https://nodejs.org/dist/v8.14.0/win-x86/node.exe

Windows 64-bit Binary: https://nodejs.org/dist/v8.14.0/win-x64/node.exe

macOS 64-bit Installer: https://nodejs.org/dist/v8.14.0/node-v8.14.0.pkg

macOS 64-bit Binary: https://nodejs.org/dist/v8.14.0/node-v8.14.0-darwin-x64.tar.gz

Linux 32-bit Binary: https://nodejs.org/dist/v8.14.0/node-v8.14.0-linux-x86.tar.xz

Linux 64-bit Binary: https://nodejs.org/dist/v8.14.0/node-v8.14.0-linux-x64.tar.xz

Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v8.14.0/node-v8.14.0-linux-ppc64le.tar.xz

Linux s390x 64-bit Binary: https://nodejs.org/dist/v8.14.0/node-v8.14.0-linux-s390x.tar.xz

AIX 64-bit Binary: https://nodejs.org/dist/v8.14.0/node-v8.14.0-aix-ppc64.tar.gz

SmartOS 32-bit Binary: https://nodejs.org/dist/v8.14.0/node-v8.14.0-sunos-x86.tar.xz

SmartOS 64-bit Binary: https://nodejs.org/dist/v8.14.0/node-v8.14.0-sunos-x64.tar.xz

ARMv6 32-bit Binary: https://nodejs.org/dist/v8.14.0/node-v8.14.0-linux-armv6l.tar.xz

ARMv7 32-bit Binary: https://nodejs.org/dist/v8.14.0/node-v8.14.0-linux-armv7l.tar.xz

ARMv8 64-bit Binary: https://nodejs.org/dist/v8.14.0/node-v8.14.0-linux-arm64.tar.xz

Source Code: https://nodejs.org/dist/v8.14.0/node-v8.14.0.tar.gz

Other release files: https://nodejs.org/dist/v8.14.0/

Documentation: https://nodejs.org/docs/v8.14.0/api/

SHASUMS