주요 변경사항
-
OpenSSL 1.0.2o로 업그레이드했습니다.: Node.js에 영향을 주는 보안 수정사항은 없습니다.
-
인스펙터 DNS 재바인딩 취약점을 수정했습니다.(CVE-2018-7160): 악의적인 웹사이트가 DNS 재바인딩 공격으로 웹 브라우저를 속여서 동일 출처 정책(same-origin-policy) 검사를 건너뛰고 localhost나 로컬 네트워크 호스트에 HTTP 연결을 할 수 있습니다. 이를 통해 디버거로 인스펙터를 열어서 전체 코드 실행에 대한 접근 권한을 취할 수 있습니다. 이제 인스펙터는 브라우저
Host
값이 DNS 처리가 되지 않거나localhost
,localhost6
인 연결만 허용합니다. -
'path'
모듈에서 정규 표현식의 서비스 거부 취약점을 수정했습니다.(CVE-2018-7158): 공격자가 영향을 받은'path'
모듈의 함수 중 하나를 사용해서 특수하게 조작된 경로 문자열을 전달할 수 있는 경우 POSIX 경로를 파싱하는데 사용하는 정규 표현식이 서비스 거부를 일으킬 수 있습니다. -
HTTP
Content-Length
헤더 값에서 공백을 허용하지 않습니다.(CVE-2018-7159): Node.js HTTP 파서는Content-Length
헤더 값에 공백을 허용했습니다. 이제 숫자가 아닌 값과 마찬가지로 이러한 값은 연결을 거절하게 됩니다. -
루트 인증서 업데이트: Node.js 바이너리에 루트 인증서를 5개 추가하고 30개 제거했습니다.
-
cluster:
NODE_OPTIONS="--inspect"
를 지원합니다. (Sameer Srivastava) #19165
-
crypto:
- 인증서의 공개키를 노출합니다. (Hannes Magnusson) #17690
-
n-api:
- 자바스크립트에서
uncaughtException
을 발생시킬napi_fatal_exception
을 추가했습니다. (Mathias Buus) #19337
- 자바스크립트에서
-
path:
posix.normalize
의 회귀를 수정했습니다. (Michaël Zasso) #19520
-
stream:
- 스트림 생성 성능을 개선했습니다. (Brian White) #19401
-
새로운 협업자를 추가했습니다.
- BethGriggs Beth Griggs
Commits
- [
926214aefe
] - cluster: add support for NODE_OPTIONS=“–inspect” (Sameer Srivastava) #19165 - [
6ead99aa73
] - console: don’t swallow call stack exceeded errors (Dan Kaplun) #19423 - [
02671dc12b
] - crypto: update root certificates (Ben Noordhuis) #19322 - [
fd8c79ddfc
] - (SEMVER-MINOR) crypto: add docs & tests for cert.pubkey & cert.fingerprint256 (Hannes Magnusson) #17690 - [
23312675cb
] - (SEMVER-MINOR) crypto: provide full cert details to checkServerIdentity (Hannes Magnusson) #17690 - [
26e2938a50
] - (SEMVER-MINOR) crypto: add cert.pubkey containing the raw pubkey of certificate (Hannes Magnusson) #17690 - [
f5d9324315
] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836 - [
f5eb182b50
] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389 - [
ddcb3fc886
] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389 - [
d908169bad
] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #19638 - [
0cd883fe09
] - deps: upgrade openssl sources to 1.0.2o (Shigeki Ohtsu) #19638 - [
c39167dc26
] - deps: reject interior blanks in Content-Length (Ben Noordhuis) nodejs-private/http-parser-private#1 - [
3bc15a69ae
] - deps: upgrade http-parser to v2.8.0 (Ben Noordhuis) nodejs-private/http-parser-private#1 - [
6591d9f761
] - deps: cherry-pick 0c35b72 from upstream V8 (Gus Caplan) #18038 - [
e533911696
] - doc: remove use of “random port” re dgram send (Thomas Hunter II) #19620 - [
3894981af2
] - doc: improve assert legacy text (Rich Trott) #19622 - [
8191ada9ae
] - doc: improve Buffer() text (Rich Trott) #19567 - [
2fadc9ef68
] - doc: fix run-on sentence in buffer.md (Rich Trott) #19567 - [
962c5816a2
] - doc: change v-notation for version in buffer.md (Rich Trott) #19567 - [
5a2f336994
] - doc: add missing fs.Stats.size section (Vse Mozhet Byt) #19583 - [
8653c42a41
] - doc: rename HTTP2 to HTTP/2 (Timothy Gu) #19603 - [
b70ac0ab2e
] - doc: remove confusing note about child process stdio (Anna Henningsen) #19552 - [
5e3d971f79
] - doc: add BethGriggs to collaborators (Beth Griggs) #19610 - [
5e9f9297b3
] - doc: documentmake docopen
(Ayush Gupta) #19321 - [
4db7848e09
] - doc: remove example labels from buffer.md (Rich Trott) #19582 - [
f07e820e6d
] - doc: add ‘v’ prefix to all versions in metadata (Tobias Nießen) #19590 - [
7e9b7a5683
] - doc: add missing metadata for fs.open (Tobias Nießen) #19585 - [
d47e5d022f
] - doc: add link & simplify data event (net.Socket) (Christopher Hiller) #19487 - [
43f24c0406
] - doc: add directory structure in writing-tests.md (juggernaut451) #18802 - [
157fc28710
] - doc: add added in versions to fs.Stats properties (jvelezpo) #19266 - [
fa17002215
] - doc: add missing metadata for settings.windowsHide (Tobias Nießen) #19578 - [
4532a8913d
] - doc: addrequire.main
torequire
properties (Vse Mozhet Byt) #19573 - [
1e8ece149a
] - doc: add missing metadata for cluster.settings.cwd (Tobias Nießen) #19569 - [
933c58cd76
] - doc: add types for someprocess
properties (Vse Mozhet Byt) #19571 - [
ae0e243028
] - doc: fix n-api example string (Steven R. Loomis) #19205 - [
7c9ba3db40
] - doc: correct introduced_in metadata for buffer doc (Rich Trott) #19545 - [
1073f09cad
] - doc: minor improvements to buffer.md (Rich Trott) #19547 - [
9845fc3e4a
] - doc: Add a missing comma (jiangq) #19555 - [
d1c45e258c
] - doc: update child_process.md (Ari Leo Frankel) #19075 - [
8e3f59fbb5
] - doc: clarify child_process promise rejections (TomCoded) #19541 - [
e9f41eecc8
] - doc: move StackOverflow to unofficial section (josephleon) #19416 - [
3f49174969
] - doc: move who-to-cc to COLABORATOR_GUIDE.md (Rich Trott) #19460 - [
65c9a5278c
] - doc: require passing CI for landing code (Rich Trott) #19458 - [
98d038a1f3
] - doc: simplify COLLABORATOR_GUIDE.md instructions (Rich Trott) #19458 - [
e5bcd8d981
] - doc: reduce CI options in COLLABORATOR_GUIDE.md (Rich Trott) #19458 - [
26e97a124d
] - doc: add new documentation rule (estrada9166) #18726 - [
ed55386d74
] - doc: add fs declarations to stream doc js examples (Ivan Filenko) #18804 - [
9c672624b3
] - doc: remove **Note:** tags (James M Snell) #18592 - [
742b304ea3
] - doc: warn about using util.inspect/util.format (James M Snell) #17791 - [
d3833b0734
] - doc: update collaborator guide (Ruben Bridgewater) #19116 - [
c3886b50c9
] - doc: add note about browsers and HTTP/2 (Steven) #19476 - [
cc7ba0bb9d
] - doc: fix/improve inspector profiler example (Ali Ijaz Sheikh) #19379 - [
9c9263e7cc
] - doc: add trivikr to collaborators (Trivikram) #19384 - [
5960cde4eb
] - doc: fix changelog (Myles Borins) #19515 - [
b351e0eda6
] - http: use more destructuring (Tobias Nießen) #19481 - [
49c0efd2a2
] - http2: remove some unnecessary next ticks (James M Snell) #19451 - [
583d5afa5e
] - inspector: do not allow host names (Eugene Ostroukhov) - [
fc1a610a00
] - inspector: check Host header for local connections (Eugene Ostroukhov) - [
419e88ea4a
] - lib,test: lint fixes for linter upgrade (Rich Trott) #19528 - [
fd8523fe44
] - n-api: re-write test_make_callback (Gabriel Schulhof) #19448 - [
29a04b7ed6
] - (SEMVER-MINOR) n-api: add napi_fatal_exception (Mathias Buus) #19337 - [
223b42648f
] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389 - [
40916a27bc
] - path: fix regression in posix.normalize (Michaël Zasso) #19520 - [
fad5dcce3b
] - src: drop CNNIC+StartCom certificate whitelisting (Ben Noordhuis) #19322 - [
780a5d6f3a
] - src: useunordered\_map
for perf marks (Anna Henningsen) #19558 - [
f13cc3237e
] - stream: improve stream creation performance (Brian White) #19401 - [
8996d3cf45
] - test: remove third param from assert.strictEqual (davis.okoth@kemsa.co.ke) #19536 - [
c1a327b0ed
] - test: remove custom error message (DingDean) #19526 - [
9265f4bcb7
] - test: remove string literal from assertions (Nathaniel Weeks) #19276 - [
efa38bd1a0
] - test: remove message from assert.strictEqual() (willhayslett) #19525 - [
40be64d96d
] - test: rename regression tests more expressively (Ujjwal Sharma) #19495 - [
0310df8fe6
] - test: refactor parallel/test-tls-ca-concat.js (juggernaut451) #19092 - [
5f1a01d816
] - test: fix buggy getTTYfd() implementation (Rich Trott) #17781 - [
c6b993bde7
] - test: move firstInvalidFD() out of common module (Rich Trott) #17781 - [
8e69026962
] - test: remove getTTYfd() from common module (Rich Trott) #17781 - [
a8d9ccf8fe
] - test: remove common.projectDir (Rich Trott) #17781 - [
74582933c9
] - test: refactor test-fs-readfile-tostring-fail (Rich Trott) #19404 - [
a56ba1258d
] - tools: update certdata.txt (Ben Noordhuis) #19322 - [
e895d54224
] - tools: simplify tools/doc/preprocess.js (Vse Mozhet Byt) #19539 - [
4c3465f68a
] - tools: fix nits in tools/doc/common.js (Vse Mozhet Byt) #19599 - [
ab561c090b
] - tools: shorten metadata parsing (Tobias Nießen) #19512 - [
0db7b8cd87
] - tools: make metadata parsing less permissive (Tobias Nießen) #19512 - [
4007d6cbfe
] - tools: update ESLint to 4.19.1 (Rich Trott) #19528 - [
89e7a5faad
] - tools: fix nits in tools/doc/preprocess.js (Vse Mozhet Byt) #19473 - [
0414a8c7ed
] - tools: fix logic nit in tools/doc/generate.js (Vse Mozhet Byt) #19475
Windows 32-bit Installer: https://nodejs.org/dist/v9.10.0/node-v9.10.0-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v9.10.0/node-v9.10.0-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v9.10.0/win-x86/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v9.10.0/win-x64/node.exe
macOS 64-bit Installer: https://nodejs.org/dist/v9.10.0/node-v9.10.0.pkg
macOS 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-darwin-x64.tar.gz
Linux 32-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-x86.tar.xz
Linux 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-x64.tar.xz
Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-ppc64le.tar.xz
Linux s390x 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-s390x.tar.xz
AIX 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-aix-ppc64.tar.gz
SmartOS 32-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-sunos-x86.tar.xz
SmartOS 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-sunos-x64.tar.xz
ARMv6 32-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-armv6l.tar.xz
ARMv7 32-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-armv7l.tar.xz
ARMv8 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-arm64.tar.xz
Source Code: https://nodejs.org/dist/v9.10.0/node-v9.10.0.tar.gz
Other release files: https://nodejs.org/dist/v9.10.0/
Documentation: https://nodejs.org/docs/v9.10.0/api/
SHASUMS
1 | -----BEGIN PGP SIGNED MESSAGE----- |