Node v4.6.0(LTS)

작성자: Rod Vagg
원문: Node v4.6.0 (LTS)
번역: marocchino

중요한 보안 릴리스입니다. 모든 Node.js 사용자는 수정된 취약점에 대한 자세한 내용을 보안 릴리스 요약에서 확인하세요.

주요 변경사항

Semver 부 버전:

openssl:
- 1.0.2i로 업그레이드, Node.js에 영향을 주는 몇몇 결함 CVE-2016-6304(“OCSP 상태 요청이 무한 메모리 증가로 확장”, 높은 심각도), CVE-2016-2183, CVE-2016-6303, CVE-2016-2178, CVE-2016-6306을 수정했습니다.(Shigeki Ohtsu) #8714
- 1.0.2j로 업그레이드, 1.0.2i에 포함된 CRL을 사용할 때 충돌하는 결함(CVE-2016-7052)을 수정했습니다.(Shigeki Ohtsu) #8786
- 동적 서드파티 엔진 모듈 지원을 제거했습니다. 공격자가 Node.js 런타임에 동적 엔진 모듈로 가장하여 악의적인 코드를 숨길 수 있습니다. Ahmed Zaki(Skype)가 처음 보고했습니다.(Ben Noordhuis) nodejs/node-private#70
http: CVE-2016-5325 - ServerResponse#writeHead()의 reason 인자의 허용된 문자를 올바르게 검증합니다. 응답 분리(response splitting) 공격의 가능성을 수정했습니다. 이 변경으로 HTTP 응답 설정에서 throw가 발생할 수 있습니다. 사용자는 이 부분에 try/catch를 적용하셔야 합니다. Evan Lucas, Romain Gaucher가 각각 처음 보고했습니다.(Evan Lucas) nodejs/node-private#46

Semver 수 버전:

buffer: Buffer.concat()으로 생성된 새 Buffer 객체에 원본 Buffer 객체의 총 길이를 초과하는 totalLength 파라미터를 넘길 때 초과된 바이트에 0를 채워넣습니다.(Сковорода Никита Андреевич) nodejs/node-private#65
tls: CVE-2016-7099 - 올바르지 않은 와일드카드 인증 검증을 수정했습니다. TLS 서버가 자신의 호스트 이름에 대해 적절하지 않은 *. 와일드카드 검증 때문에 올바르지 않은 와일드 카드 인증을 할 수 있었습니다. Alexander Minozhenko, James Bunton(Atlassian)이 처음 보고했습니다.(Ben Noordhuis) nodejs/node-private#63

Commits

[93b10fbec2] - buffer: zero-fill uninitialized bytes in .concat() (Сковорода Никита Андреевич) nodejs/node-private#65
[c214e8847d] - crypto: don’t build hardware engines (Ben Noordhuis) nodejs/node-private#70
[af9dda152c] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/node#1836
[6bb9749c33] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) nodejs/node#1389
[5176a8ad57] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) nodejs/node#1389
[aa9ed60a51] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #8786
[0c74e2ad35] - deps: upgrade openssl sources to 1.0.2j (Shigeki Ohtsu) #8786
[8f3d6760cf] - deps: update openssl asm and asm_obsolete files (Shigeki Ohtsu) #8714
[e8f29e2ba8] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/node#1836
[01cf5b0ae7] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) nodejs/node#1389
[19ae4e8ae1] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) nodejs/node#1389
[cbed5e64be] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #8714
[e7fdace18f] - deps: upgrade openssl sources to 1.0.2i (Shigeki Ohtsu) #8714
[b5c57ff772] - http: check reason chars in writeHead (Evan Lucas) nodejs/node-private#46
[3ff82deb2c] - lib: make tls.checkServerIdentity() more strict (Ben Noordhuis) nodejs/node-private#63
[7c696e201a] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) nodejs/node#1389
[44e5776c0f] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) nodejs/node#1389
[c7a601c090] - test: remove openssl options of -no_ (Shigeki Ohtsu) #8714

Shasums (GPG signing hash: SHA512, file hash: SHA256):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

525ab42c767525edb7e512c600dedb20d826a6f58e1d6d1b774651a1c782a267  node-v4.6.0-darwin-x64.tar.gz
3c728c25b541fd8b88826568e7867098658df7c45d2389b60877c093a9803bd0  node-v4.6.0-darwin-x64.tar.xz
5eb4b4324d72297066b4b8c91d0b1e7c82cabde9986c986682be66202f37176b  node-v4.6.0-headers.tar.gz
862ce573bcfd592ea0c24861c0097bd23ca842d263e03f5dfa1ce08be888f20f  node-v4.6.0-headers.tar.xz
bf03e7384b727bc80c0c59cf38ba5704d83faa7f455f40fa62a67c8331dde7d6  node-v4.6.0-linux-arm64.tar.gz
7683e664b648c4ec3f86935f4b4f9fbf56f19d171e1e29d5adf687fc4c392b5b  node-v4.6.0-linux-arm64.tar.xz
e7db1c612eb9dd55e3ff246bfa7c35f0b87664e6e2bc7b32891de8cc1e48f5a7  node-v4.6.0-linux-armv6l.tar.gz
766d10a73886bbe1a3abd4b78563a825408cab7e116e590f1bbdc9b88cc3aa09  node-v4.6.0-linux-armv6l.tar.xz
9e46082bef5b521afd483532c8d3715f33d1d4302b7980b904bea3182817275f  node-v4.6.0-linux-armv7l.tar.gz
def976771b4a2a4488b87a06c8295ffea55671f7f42df13e3718341d28bf2d40  node-v4.6.0-linux-armv7l.tar.xz
2aa9518ea637cc06877a01c40d4608cf9a7f1588000cf3e550e4ab24c170aee6  node-v4.6.0-linux-ppc64le.tar.gz
b06c39da4fae47e2d204cae183425a3a77849944c5be47c5807f4f08cef51f64  node-v4.6.0-linux-ppc64le.tar.xz
ee77fb6a1dfbe166c9faee25b4f110af25723c64b0abcb9085507b8445fa2e7b  node-v4.6.0-linux-ppc64.tar.gz
e35955a846c1082e1681fdcbf488a66e43f56fb0aa7205b86a4aa0ce69dfb1eb  node-v4.6.0-linux-ppc64.tar.xz
acf08148cecf245f28126122ac9128ff9909f00938b18d80fc0b92648d1c98a8  node-v4.6.0-linux-x64.tar.gz
a77ceb75a05984153304ad0f09b11d234ca54a67714ba575b52e4298df0343d1  node-v4.6.0-linux-x64.tar.xz
9aab75618de0dca640d747aa25073cbb5a01342dd8aa177df8112e26a39541f4  node-v4.6.0-linux-x86.tar.gz
8994ee2c180a97fc4280bfb390444a4bcb2629290aa8243e7ab6271efab593f4  node-v4.6.0-linux-x86.tar.xz
0359c50c5d7e887c7f17d7ea4f42b1776ac8df263c6471bf8054b5c9f3d42a67  node-v4.6.0.pkg
e9a02da71d0cd6a1874f4a7d227dfcbe6ab9492eba419b5c9a83c8c95065195f  node-v4.6.0-sunos-x64.tar.gz
8ea3d2887b4850fb92f75573f30bbb257b7cd11f71cda12becc34868c535acf8  node-v4.6.0-sunos-x64.tar.xz
f8536a25629ef1ad3228b2d712e2fa43bf66980673d3cdf469da37c0407e9633  node-v4.6.0-sunos-x86.tar.gz
5750a8256356f43c6b80854b7c6ce46d6933e64cf5f2efecdf4841e4fe582a28  node-v4.6.0-sunos-x86.tar.xz
0838f12e329edb252e6e6baddca85632bf5ff2ec900e737e88f9bf9b38946b1b  node-v4.6.0.tar.gz
42910dbd34e49bfc40580e06753947c30d31101455a38e9f0343a23d67c0c694  node-v4.6.0.tar.xz
0c6509c13cfa9795f08b9bf694383de7e4d93cde14a9e8979a92f21736e19498  node-v4.6.0-win-x64.7z
0782bd50251c2a159fba5b874c56fb4a6680f454cc16892cee8e62d17b7d6f60  node-v4.6.0-win-x64.zip
413f98f2b765fe862ff6971724c3f265dbfe5a2cb865dd1894b4447426542c91  node-v4.6.0-win-x86.7z
13a5dcb90a8397f62c55945b65cb1c7b9d7576af3cbfc8d9cb67f72edcf68201  node-v4.6.0-win-x86.zip
80926b2df6e7efc8adda2e1fcb6328b99fe878d728cf93f39b0c710adc1bcb35  node-v4.6.0-x64.msi
5f91bf57512c1fa96d016c8f6236c689998ed926faa13aaf2170154342ca915a  node-v4.6.0-x86.msi
7564472c672e729a724ffe890ba06ec318c9e311684516a25a47b3f1e549504e  win-x64/node.exe
24178152fc3a99b9b83a1620897c5624cb7e0ba0544da38e18ca0cde807435d4  win-x64/node.lib
44dbbec125f3c4804ed5d002628c7ddb8e51cd352af0542b9edebcfd718967b5  win-x64/node_pdb.7z
b92e5e5031f19f201ec4568d7761c263af9a20e02b34bdd9e5f7191750aee3fb  win-x64/node_pdb.zip
7c9287cec4379082393d85af919a36a3512aa6bfcbf3deba3261a472580041f8  win-x86/node.exe
7d5988939f1567a4d7180010f49ec36b8d3897a8eccb78e461a774d8d2de614e  win-x86/node.lib
98f955f69195f12ec429e4cff629c650a6b1dcb43a1c18cef9cf79a11067c88d  win-x86/node_pdb.7z
0d0faf3bf0fcf50a943d8202d24d8eb8bb0695ea99498360c1a8a745c7811fd7  win-x86/node_pdb.zip
-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJX6xhwAAoJEMJzeS99g1RdoksH/139ljOj+Vjc0nVNRn5m2KxC
3gldiKMaNBeefV9JOA3tG1fei3KPvO/PRHVCYogQO8IEEpJ5Yer+zQpsLOg/xGDR
nsg9xOBupnSlUAfALilWhkDkBDgcauuiII3tP98GjDaSS+cH6Pctt08l2XTCROYk
YThc0nonmobDGSsHVf4biv+ySMocmpZGU0h10xS2lRVlrxMpEzsxVuCSv52fRDKy
gD0Hf9ZSFi9i1MIxKOIolYpdIVmrS29c6J0LbjW2WcTk21jIOENXEk1uEl71OWHD
plT4hauehu/3a89FcqsOu10MqLStFuEm0T1CXtmn4/Vm2FhJnZfdiCDT1YABD00=
=LyAk
-----END PGP SIGNATURE-----