중요한 보안 릴리스입니다. 패치된 취약점에 관한 자세한 사항은 https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/ 문서를 참고하세요.
주요 변경 사항
- http: 요청과 응답의 HTTP 헤더를 파싱할 때 요청 스머글링(smuggling)을 허용하거나(CVE-2016-2086) 응답 스플리팅(splitting)을 허용할 수 있는(CVE-2016-2216) 취약점이 수정됐습니다.
이제 HTTP 헤더 파싱은 수용하는 문자를 제한하는 등 HTTP 스펙에 더 근접하게 조정되었습니다. - http-parser: 2.6.0 버전에서 2.6.1 버전으로 업그레이드 했습니다.
- npm: npm을 3.3.12 버전에서 3.6.0 버전으로 업그레이드 했습니다. (Rebecca Turner) #4958
- openssl: 1.0.2e 버전에서 1.0.2f 버전으로 업그레이드 했습니다.
로그잼(Logjam) 공격을 방지하기 위해 TLS 클라이언트는 이제 파라미터가 1024비트보다 짧은 디피-헬만(Diffie-Hellman) 핸드셰이크를 거부합니다.
이전에는 768비트까지 허용했습니다.
Commits
- [
3b6283c163] - benchmark: add a constant declaration fornet(Minwoo Jung) #3950 - [
3175f7450e] - buffer: remove duplicated code in fromObject (HUANG Wei) #4948 - [
58d67e26a2] - buffer: validate list elements in Buffer.concat (Michaël Zasso) #4951 - [
bafc86f00e] - buffer: refactor redeclared variables (Rich Trott) #4886 - [
0fa4d90b94] - build: Add VARIATION variable to binary target (Stefan Budeanu) #4631 - [
ec62789152] - crypto: fix memory leak in LoadPKCS12 (Fedor Indutny) #5109 - [
d9e934c71f] - crypto: addpfxcerts as CA certs too (Fedor Indutny) #5109 - [
0d4b538175] - crypto: use SSL_CTX_clear_extra_chain_certs. (Adam Langley) #4919 - [
abb0f6cd53] - crypto: fix build when OCSP-stapling not provided (Adam Langley) #4914 - [
755619c554] - crypto: use a const SSL_CIPHER (Adam Langley) #4913 - [
d5d2f86f89] - (SEMVER-MINOR) deps: update http-parser to version 2.6.1 (James M Snell) - [
f0bd176d6d] - deps: reapply c-ares floating patch (Ben Noordhuis) #5090 - [
f1a0827417] - deps: sync with upstream bagder/c-ares@2bae2d5 (Fedor Indutny) #5090 - [
cbf36de8f1] - deps: upgrade npm to 3.6.0 (Rebecca Turner) #4958 - [
dd97d07a0d] - deps: backport 8d00c2c from v8 upstream (Gibson Fahnestock) #5024 - [
b75263094b] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) #1836 - [
b312b7914f] - deps: upgrade openssl sources to 1.0.2f (Myles Borins) #4961 - [
fa0457ed04] - dns: throw a TypeError in lookupService with invalid port (Evan Lucas) #4839 - [
c4c8b3bf2e] - doc: fix dgram doc indentation (Rich Trott) #5118 - [
027cd2719f] - doc: clarify code of conduct reporting (Julie Pagano) #5107 - [
9f7aa6f868] - doc: clarify dgram socket.send() multi-buffer support (Matteo Collina) #5130 - [
a96ae2cb37] - doc: console is asynchronous unless it’s a file (Ben Noordhuis) #5133 - [
4c54c8f309] - doc: fix typo in dgram doc (Rich Trott) #5114 - [
9c93ea3d51] - doc: fix links order in Buffer doc (Alexander Makarenko) #5076 - [
a0ba378880] - doc: minor improvement in OS docs (Alexander Makarenko) #5006 - [
1e2108a6b7] - doc: fix links in Addons docs (Alexander Makarenko) #5072 - [
e5134b1701] - doc: fix inconsistent styling (Brian White) #4996 - [
dde160378e] - doc: fix link in cluster documentation (Timothy Gu) #5068 - [
e5254c12f4] - doc: fix reference to APIhash.final(Minwoo Jung) #5050 - [
87fd9968a8] - doc: clarify optional arguments of Buffer methods (Michaël Zasso) #5008 - [
9908eced24] - doc: uppercase ‘RSA-SHA256’ in crypto.markdown (Rainer Oviir) #5044 - [
bf0383bbea] - doc: apply consistent styling for functions (Rich Trott) #4974 - [
8c7f4bab2d] - doc: multiple improvements in Stream docs (Alexander Makarenko) #5009 - [
ee013715b9] - doc: improve styling consistency in VM docs (Alexander Makarenko) #5005 - [
9824b0d132] - doc: fix anchor links from stream to http and events (piepmatz) #5007 - [
2c85f79569] - doc: minor improvement to HTTPS doc (Alexander Makarenko) #5002 - [
9cf1370017] - doc: improve styling consistency in Buffer docs (Alexander Makarenko) #5001 - [
2750cb0613] - doc: consistent styling for functions in TLS docs (Alexander Makarenko) #5000 - [
4758bf13a5] - doc: update npm LICENSE using license-builder.sh (Rebecca Turner) #4958 - [
3b08b5d22c] - doc: fix minor typo in process doc (Prayag Verma) #5018 - [
129977c9c7] - doc: fix typo in Readme.md (Prayag Verma) #5017 - [
5de3dc557f] - doc: fixnotDeepEqualAPI (Minwoo Jung) #4971 - [
d47dadcc1f] - doc: make buffer methods styles consistent (Timothy Gu) #4873 - [
17888b122c] - doc: fix JSON generation for aliased methods (Timothy Gu) #4871 - [
396e4b9199] - doc: add more details to process.env (Evan Lucas) #4924 - [
bc11bf4659] - doc: don’t use “interface” as a variable name (ChALkeR) #4900 - [
bcf55d2f44] - doc: spell writable consistently (Peter Lyons) #4954 - [
4a6d0ac436] - doc: update eol handling in readline (Kári Tristan Helgason) #4927 - [
e65d3638c0] - doc: replace function expressions with arrows (Benjamin Gruenbaum) #4832 - [
423a58d66f] - doc: show links consistently in deprecations (Sakthipriyan Vairamani) #4907 - [
fd87659139] - doc: add docs working group (Bryan English) #4244 - [
19ed619cff] - doc: remove unnecessary bind(this) (Dmitriy Lazarev) #4797 - [
5129930786] - doc: keep the names in sorted order (Sakthipriyan Vairamani) #4876 - [
3c46c10d54] - doc: fix nonsensical grammar in Buffer::write (Jimb Esser) #4863 - [
a1af6fc1a7] - doc: addservernameparameter docs (Alexander Makarenko) #4729 - [
f4eeba8467] - doc: fix code type of markdowns (Jackson Tian) #4858 - [
fa1d453359] - doc: check for errors in ‘listen’ event (Benjamin Gruenbaum) #4834 - [
f462320f74] - doc: undo move http.IncomingMessage.statusMessage (Jeff Harris) #4822 - [
711245e5ac] - doc: style fixes for the TOC (Roman Reiss) #4748 - [
611c2f6fdf] - doc: proper markdown escaping -> __, *, _ (Robert Jefe Lindstaedt) #4805 - [
5a860d9cb7] - doc: Examples work when data exceeds buffer size (Glen Arrowsmith) #4811 - [
71ba14de86] - doc: update list of personal traits in CoC (Kat Marchán) #4801 - [
97eedfc57a] - doc: harmonize $ node command line notation (Robert Jefe Lindstaedt) #4806 - [
2dde0f08c9] - doc: add buf.indexOf encoding param with example (Karl Skomski) #3373 - [
66c74548de] - doc: fenced all code blocks, typo fixes (Robert Jefe Lindstaedt) #4733 - [
54e8845b5e] - fs: refactor redeclared variables (Rich Trott) #4959 - [
fa940cf9bc] - fs: remove unused branches (Benjamin Gruenbaum) #4795 - [
a3b84a4c93] - (SEMVER-MINOR) http: strictly forbid invalid characters from headers (James M Snell) - [
9b03af254a] - http: remove reference to onParserExecute (Tom Atkinson) #4773 - [
101de9de3f] - https: evict cached sessions on error (Fedor Indutny) #4982 - [
b2c8b7f6d3] - internal/child_process: call postSend on error (Fedor Indutny) #4752 - [
55030922e5] - lib: scope loop variables (Rich Trott) #4965 - [
725ad5b1ce] - lib: remove string_decoder.js var redeclarations (Rich Trott) #4978 - [
c09eb44a59] - module: refactor redeclared variable (Rich Trott) #4962 - [
612ce66c78] - net: refactor redeclared variables (Rich Trott) #4963 - [
c9b05dafe0] - net: move isLegalPort to internal/net (Evan Lucas) #4882 - [
7003a4e3d8] - node_contextify: do not incept debug context (Myles Borins) #4815 - [
5a77c095a6] - process: support symbol events (cjihrig) #4798 - [
85743c0e92] - querystring: check that maxKeys is finite (Myles Borins) #5066 - [
5a10fe932c] - querystring: use String.prototype.split’s limit (Manuel Valls) #2288 - [
2844cc03dc] - repl: remove variable redeclaration (Rich Trott) #4977 - [
ac6627a0fe] - src: avoid compiler warning in node_revert.cc (James M Snell) - [
459c5844c8] - (SEMVER-MINOR) src: add --security-revert command line flag (James M Snell) - [
95615196de] - src: clean up usage of proto (Jackson Tian) #5069 - [
e93b024214] - src: remove no longer relevant comments (Chris911) #4843 - [
a2c257a3ef] - src: fix negative values in process.hrtime() (Ben Noordhuis) #4757 - [
b46f3b84d4] - src,deps: replace LoadLibrary by LoadLibraryW (Cheng Zhao) iojs/io.js#226 - [
ee8d4bb075] - stream: prevent object map change in TransformState (Evan Lucas) #5032 - [
c8b6de244e] - stream: refactor redeclared variables (Rich Trott) #4816 - [
9dcc45e9c5] - test: enable to work pkcs12 test in FIPS mode (Shigeki Ohtsu) #5150 - [
e4390664ae] - test: disable gh-5100 test when in FIPS mode (Fedor Indutny) #5144 - [
cf3aa911ec] - test: fix flaky test-dgram-pingpong (Rich Trott) #5125 - [
63884f57dd] - test: mark flaky tests on Raspberry Pi (Rich Trott) #5082 - [
09917c99d8] - test: fixnet-socket-timeout-unrefflakiness (Santiago Gimeno) #4772 - [
83da19aa48] - test: fix redeclared test-event-emitter-* vars (Rich Trott) #4985 - [
87b27c913d] - test: fix redeclared test-intl var (Rich Trott) #4988 - [
e98772d68e] - test: remove redeclared var in test-domain (Rich Trott) #4984 - [
443d0463ca] - test: add common.platformTimeout() to dgram test (Rich Trott) #4938 - [
90219c3398] - test: fix flaky cluster test on Windows 10 (Rich Trott) #4934 - [
3488fa81b5] - test: fix variable redeclarations (Rich Trott) #4992 - [
7dc0905d4d] - test: fix redeclared test-util-* vars (Rich Trott) #4994 - [
53e7d605c9] - test: fix redeclared vars in sequential tests (Rich Trott) #4999 - [
a62ace9f7e] - test: fix tls-no-rsa-key flakiness (Santiago Gimeno) #4043 - [
9b8f025816] - test: fix redeclared vars in test-url (Rich Trott) #4993 - [
51fb8845d5] - test: fix redeclared test-path vars (Rich Trott) #4991 - [
b16b360ae8] - test: fix var redeclarations in test-os (Rich Trott) #4990 - [
d6199773e8] - test: fix test-net-* variable redeclarations (Rich Trott) #4989 - [
9dd5b3e01b] - test: fix redeclared test-http-* vars (Rich Trott) #4987 - [
835bf13c1d] - test: fix var redeclarations in test-fs-* (Rich Trott) #4986 - [
71d7a4457d] - test: fix redeclared vars in test-vm-* (Rich Trott) #4997 - [
38459402a5] - test: fix inconsistent styling in test-url (Brian White) #5014 - [
4934798c0d] - test: pummel test fixes (Rich Trott) #4998 - [
3970504298] - test: remove var redeclarations in test-crypto-* (Rich Trott) #4981 - [
a2881e2187] - test: remove test-cluster-* var redeclarations (Rich Trott) #4980 - [
c3d93299c2] - test: fix test-http-extra-response flakiness (Santiago Gimeno) #4979 - [
0384a43885] - test: Add assertion for TLS peer certificate fingerprint (Alan Cohen) #4923 - [
48a353fe41] - test: scope redeclared vars in test-child-process* (Rich Trott) #4944 - [
89d1149467] - test: fix test-tls-zero-clear-in flakiness (Santiago Gimeno) #4888 - [
f7ed47341a] - test: remove Object.observe from tests (Vladimir Kurchatkin) #4769 - [
d95e53dc3b] - test: refactor switch (Rich Trott) #4870 - [
7f1e3e929a] - test: remove race condition in http flood test (Rich Trott) #4793 - [
6539c64e67] - test: scope redeclared variable (Rich Trott) #4854 - [
62fb941557] - test: fix irregular whitespace issue (Roman Reiss) #4864 - [
3b225209f0] - test: fs.link() test runs on same device (Drew Folta) #4861 - [
1860eae110] - test: refactor test-net-settimeout (Rich Trott) #4799 - [
ae9a8cd053] - test: mark test-tick-processor flaky (Rich Trott) #4809 - [
57cea9e421] - test: remove test-http-exit-delay (Rich Trott) #4786 - [
2119c76d5a] - test: refactor test-fs-watch (Rich Trott) #4776 - [
e487b72459] - test: move cluster tests to parallel (Rich Trott) #4774 - [
8c694a658c] - test: improve test-cluster-disconnect-suicide-race (Rich Trott) #4739 - [
14f5bb7a99] - test,buffer: refactor redeclarations (Rich Trott) #4893 - [
62479e3406] - tls: scope loop vars with let (Rich Trott) #4853 - [
d6fbd81a7a] - tls_wrap: reach error reporting for UV_EPROTO (Fedor Indutny) #4885 - [
f75d06bf10] - tools: lint for empty character classes in regex (Rich Trott) #5115 - [
53cbd0564f] - tools: lint for spacing around unary operators (Rich Trott) #5063 - [
7fa5959c59] - tools: fix redeclared vars in doc/json.js (Rich Trott) #5047 - [
e95fd6ae70] - tools: apply linting to doc tools (Rich Trott) #4973 - [
777ed82162] - tools: fix detecting constructor for JSON doc (Timothy Gu) #4966 - [
5d55f59c85] - tools: add property types in JSON documentation (Timothy Gu) #4884 - [
fd5c56698e] - tools: add support for subkeys in release tools (Myles Borins) #4807 - [
34df6a5c0c] - tools: enable assorted ESLint error rules (Roman Reiss) #4864 - [
386ad7e0b5] - tools: fix setting path containing an ampersand (Brian White) #4804 - [
e415eb27e5] - url: change scoping of variables with let (Kári Tristan Helgason) #4867
Windows 32-bit Installer: https://nodejs.org/dist/v5.6.0/node-v5.6.0-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v5.6.0/node-v5.6.0-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v5.6.0/win-x86/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v5.6.0/win-x64/node.exe
Mac OS X 64-bit Installer: https://nodejs.org/dist/v5.6.0/node-v5.6.0.pkg
Mac OS X 64-bit Binary: https://nodejs.org/dist/v5.6.0/node-v5.6.0-darwin-x64.tar.gz
Linux 32-bit Binary: https://nodejs.org/dist/v5.6.0/node-v5.6.0-linux-x86.tar.gz
Linux 64-bit Binary: https://nodejs.org/dist/v5.6.0/node-v5.6.0-linux-x64.tar.gz
SunOS 32-bit Binary: https://nodejs.org/dist/v5.6.0/node-v5.6.0-sunos-x86.tar.gz
SunOS 64-bit Binary: https://nodejs.org/dist/v5.6.0/node-v5.6.0-sunos-x64.tar.gz
ARMv6 32-bit Binary: Coming soon
ARMv7 32-bit Binary: https://nodejs.org/dist/v5.6.0/node-v5.6.0-linux-armv7l.tar.gz
ARMv8 64-bit Binary: https://nodejs.org/dist/v5.6.0/node-v5.6.0-linux-arm64.tar.gz
Source Code: https://nodejs.org/dist/v5.6.0/node-v5.6.0.tar.gz
Other release files: https://nodejs.org/dist/v5.6.0/
Documentation: https://nodejs.org/docs/v5.6.0/api/
Shasums (GPG signing hash: SHA512, file hash: SHA256):
1 | -----BEGIN PGP SIGNED MESSAGE----- |