Node v11.3.0 (Current)

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)

Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)

Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)

OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)

OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)

Notable Changes

deps : Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735

: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735 http : Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina) A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout . Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout() , this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina)

: url: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol. Reported by Martin Bajanik (Kentico). (CVE-2018-12123 / Matteo Collina)

Commits

[ 8f191f3759 ] - deps : update openssl 1.1.0 upgrade docs (Sam Roberts) #24523

] - : update openssl 1.1.0 upgrade docs (Sam Roberts) #24523 [ f20ac47d7a ] - deps : update archs files for OpenSSL-1.1.0 (Sam Roberts) #24523

] - : update archs files for OpenSSL-1.1.0 (Sam Roberts) #24523 [ 8248d227b7 ] - deps : add s390 asm rules for OpenSSL-1.1.0 (Shigeki Ohtsu) #24523

] - : add s390 asm rules for OpenSSL-1.1.0 (Shigeki Ohtsu) #24523 [ 65d03f0180 ] - deps : upgrade openssl sources to 1.1.0j (Sam Roberts) #24523

] - : upgrade openssl sources to 1.1.0j (Sam Roberts) #24523 [ a2b8aba23c ] - deps,http : llhttp set max header size to 8KB (Rod Vagg) nodejs-private/node-private#149

] - : llhttp set max header size to 8KB (Rod Vagg) nodejs-private/node-private#149 [ 74e01d0020 ] - deps,http : http_parser set max header size to 8KB (Matteo Collina) nodejs-private/node-private#143

] - : http_parser set max header size to 8KB (Matteo Collina) nodejs-private/node-private#143 [ 4ecbd3bdaa ] - http : reset headers_nread_ on llhttp parser reuse (Rod Vagg) nodejs-private/node-private#149

] - : reset headers_nread_ on llhttp parser reuse (Rod Vagg) nodejs-private/node-private#149 [ 04e0620597 ] - http : fix header limit errors and test for llhttp (Fedor Indutny) nodejs-private/node-private#149

] - : fix header limit errors and test for llhttp (Fedor Indutny) nodejs-private/node-private#149 [ 315ee2e626 ] - (SEMVER-MINOR) http,https : protect against slow headers attack (Matteo Collina) nodejs-private/node-private#144

] - : protect against slow headers attack (Matteo Collina) nodejs-private/node-private#144 [ d7504324e1 ] - url: avoid hostname spoofing w/ javascript protocol (Matteo Collina) nodejs-private/node-private#145

Windows 32-bit Installer: https://nodejs.org/dist/v11.3.0/node-v11.3.0-x86.msi

Windows 64-bit Installer: https://nodejs.org/dist/v11.3.0/node-v11.3.0-x64.msi

Windows 32-bit Binary: https://nodejs.org/dist/v11.3.0/win-x86/node.exe

Windows 64-bit Binary: https://nodejs.org/dist/v11.3.0/win-x64/node.exe

macOS 64-bit Installer: https://nodejs.org/dist/v11.3.0/node-v11.3.0.pkg

macOS 64-bit Binary: https://nodejs.org/dist/v11.3.0/node-v11.3.0-darwin-x64.tar.gz

Linux 64-bit Binary: https://nodejs.org/dist/v11.3.0/node-v11.3.0-linux-x64.tar.xz

Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v11.3.0/node-v11.3.0-linux-ppc64le.tar.xz

Linux s390x 64-bit Binary: https://nodejs.org/dist/v11.3.0/node-v11.3.0-linux-s390x.tar.xz

AIX 64-bit Binary: https://nodejs.org/dist/v11.3.0/node-v11.3.0-aix-ppc64.tar.gz

SmartOS 64-bit Binary: https://nodejs.org/dist/v11.3.0/node-v11.3.0-sunos-x64.tar.xz

ARMv6 32-bit Binary: https://nodejs.org/dist/v11.3.0/node-v11.3.0-linux-armv6l.tar.xz

ARMv7 32-bit Binary: https://nodejs.org/dist/v11.3.0/node-v11.3.0-linux-armv7l.tar.xz

ARMv8 64-bit Binary: https://nodejs.org/dist/v11.3.0/node-v11.3.0-linux-arm64.tar.xz

Source Code: https://nodejs.org/dist/v11.3.0/node-v11.3.0.tar.gz

Other release files: https://nodejs.org/dist/v11.3.0/

Documentation: https://nodejs.org/docs/v11.3.0/api/

SHASUMS