Node v6.17.0 (LTS)

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/ for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

Node.js: Denial of Service with keep-alive HTTP connections (CVE-2019-5739)

Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)

OpenSSL: 0-byte record padding oracle (CVE-2019-1559)

Notable Changes

deps : OpenSSL has been upgraded to 1.0.2r which contains a fix for CVE-2019-1559. Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data.

: OpenSSL has been upgraded to 1.0.2r which contains a fix for CVE-2019-1559. Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data. http : Backport server.keepAliveTimeout to prevent keep-alive HTTP and HTTPS connections remaining open and inactive for an extended period of time, leading to a potential Denial of Service (DoS). (CVE-2019-5739 / Timur Shemsedinov, Matteo Collina) Further prevention of "Slowloris" attacks on HTTP and HTTPS connections by consistently applying the receive timeout set by server.headersTimeout to connections in keep-alive mode. Reported by Marco Pracucci (Voxnest). (CVE-2019-5737 / Matteo Collina)

:

Commits

[ b282c68ce8 ] - deps : add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836

] - : add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836 [ a80ef49dcf ] - deps : fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389

] - : fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389 [ 1d3c412101 ] - deps : fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389

] - : fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389 [ 661fd61c3a ] - deps : copy all openssl header files to include dir (Shigeki Ohtsu)

] - : copy all openssl header files to include dir (Shigeki Ohtsu) [ da12284235 ] - deps : upgrade openssl sources to 1.0.2r (Shigeki Ohtsu)

] - : upgrade openssl sources to 1.0.2r (Shigeki Ohtsu) [ b13b4a9ffb ] - http : prevent slowloris with keepalive connections (Matteo Collina) nodejs-private/node-private#162

] - : prevent slowloris with keepalive connections (Matteo Collina) nodejs-private/node-private#162 [ e9ae4aaaad ] - http : fix timeout reset after keep-alive timeout (Alexey Orlenko) #13549

] - : fix timeout reset after keep-alive timeout (Alexey Orlenko) #13549 [ f23b3b6bad ] - (SEMVER-MINOR) http : destroy sockets after keepAliveTimeout (Timur Shemsedinov) #2534

] - : destroy sockets after keepAliveTimeout (Timur Shemsedinov) #2534 [ 190894448b ] - openssl : fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389

] - : fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389 [ 06a208d316 ] - test : refactor test-http-server-keep-alive-timeout (realwakka) #13448

] - : refactor test-http-server-keep-alive-timeout (realwakka) #13448 [ 1c7fbdc53b ] - test: improve test-https-server-keep-alive-timeout (Rich Trott) #13312

Windows 32-bit Installer: https://nodejs.org/dist/v6.17.0/node-v6.17.0-x86.msi

Windows 64-bit Installer: https://nodejs.org/dist/v6.17.0/node-v6.17.0-x64.msi

Windows 32-bit Binary: https://nodejs.org/dist/v6.17.0/win-x86/node.exe

Windows 64-bit Binary: https://nodejs.org/dist/v6.17.0/win-x64/node.exe

macOS 64-bit Installer: https://nodejs.org/dist/v6.17.0/node-v6.17.0.pkg

macOS 64-bit Binary: https://nodejs.org/dist/v6.17.0/node-v6.17.0-darwin-x64.tar.gz

Linux 32-bit Binary: https://nodejs.org/dist/v6.17.0/node-v6.17.0-linux-x86.tar.xz

Linux 64-bit Binary: https://nodejs.org/dist/v6.17.0/node-v6.17.0-linux-x64.tar.xz

Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v6.17.0/node-v6.17.0-linux-ppc64le.tar.xz

Linux PPC BE 64-bit Binary: https://nodejs.org/dist/v6.17.0/node-v6.17.0-linux-ppc64.tar.xz

Linux s390x 64-bit Binary: https://nodejs.org/dist/v6.17.0/node-v6.17.0-linux-s390x.tar.xz

AIX 64-bit Binary: https://nodejs.org/dist/v6.17.0/node-v6.17.0-aix-ppc64.tar.gz

SmartOS 32-bit Binary: https://nodejs.org/dist/v6.17.0/node-v6.17.0-sunos-x86.tar.xz

SmartOS 64-bit Binary: https://nodejs.org/dist/v6.17.0/node-v6.17.0-sunos-x64.tar.xz

ARMv6 32-bit Binary: https://nodejs.org/dist/v6.17.0/node-v6.17.0-linux-armv6l.tar.xz

ARMv7 32-bit Binary: https://nodejs.org/dist/v6.17.0/node-v6.17.0-linux-armv7l.tar.xz

ARMv8 64-bit Binary: https://nodejs.org/dist/v6.17.0/node-v6.17.0-linux-arm64.tar.xz

Source Code: https://nodejs.org/dist/v6.17.0/node-v6.17.0.tar.gz

Other release files: https://nodejs.org/dist/v6.17.0/

Documentation: https://nodejs.org/docs/v6.17.0/api/

SHASUMS