보안 릴리스입니다. 모든 Node.js 사용자는 https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/ 에 있는 보안 요약 문서에서 패치된 취약점의 자세한 사항을 확인하기 바랍니다.
이번 릴리스에는 다음 CVE의 수정사항이 포함되었습니다.
Node.js: keep-alive 모드에서 Slowloris HTTP 서비스 거부(CVE-2019-5737)
OpenSSL: 0바이트 레코드 패딩 오라클(CVE-2019-1559)
주요 변경사항
deps : OpenSSL이 CVE-2019-1559 문제점을 수정한 1.0.2r 버전으로 업그레이드되었습니다. 특정 환경에서 TLS 서버가 유효하지 않은 패딩 을 포함한 0바이트 레코드를 수신할 때, 유효하지 않은 MAC 을 수신할 때와 다른 응답을 클라이언트로 보내도록 하는 문제가 있었습니다. 이는 암호화된 데이터를 대상으로 하는 패딩 오라클 공격의 기반이 될 수 있습니다.
http : keep-alive 모드의 접속에 server.headersTimeout
으로 설정된 수신 타임아웃을 지속 적용하여 HTTP와 HTTPS 접속에 대한 “슬로로리스(Slowloris)” 공격을 예방했습니다. 이 문제는 Marco Pracucci(Voxnest )가 보고했습니다. (CVE-2019-5737 / Matteo Collina)
Commits
Windows 32-bit Installer: https://nodejs.org/dist/v8.15.1/node-v8.15.1-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v8.15.1/node-v8.15.1-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v8.15.1/win-x86/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v8.15.1/win-x64/node.exe
macOS 64-bit Installer: https://nodejs.org/dist/v8.15.1/node-v8.15.1.pkg
macOS 64-bit Binary: https://nodejs.org/dist/v8.15.1/node-v8.15.1-darwin-x64.tar.gz
Linux 32-bit Binary: https://nodejs.org/dist/v8.15.1/node-v8.15.1-linux-x86.tar.xz
Linux 64-bit Binary: https://nodejs.org/dist/v8.15.1/node-v8.15.1-linux-x64.tar.xz
Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v8.15.1/node-v8.15.1-linux-ppc64le.tar.xz
Linux s390x 64-bit Binary: https://nodejs.org/dist/v8.15.1/node-v8.15.1-linux-s390x.tar.xz
AIX 64-bit Binary: https://nodejs.org/dist/v8.15.1/node-v8.15.1-aix-ppc64.tar.gz
SmartOS 32-bit Binary: https://nodejs.org/dist/v8.15.1/node-v8.15.1-sunos-x86.tar.xz
SmartOS 64-bit Binary: https://nodejs.org/dist/v8.15.1/node-v8.15.1-sunos-x64.tar.xz
ARMv6 32-bit Binary: https://nodejs.org/dist/v8.15.1/node-v8.15.1-linux-armv6l.tar.xz
ARMv7 32-bit Binary: https://nodejs.org/dist/v8.15.1/node-v8.15.1-linux-armv7l.tar.xz
ARMv8 64-bit Binary: https://nodejs.org/dist/v8.15.1/node-v8.15.1-linux-arm64.tar.xz
Source Code: https://nodejs.org/dist/v8.15.1/node-v8.15.1.tar.gz
Other release files: https://nodejs.org/dist/v8.15.1/
Documentation: https://nodejs.org/docs/v8.15.1/api/
SHASUMS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 9156fc8929f545981bfbafa4fe8ea3b8afeed9dacfb6e4bbc145ac86705c783e node-v8.15.1-aix-ppc64.tar.gz f3da0b4397150226c008a86c99d77dbb835dc62219d863654913a78332ab19a5 node-v8.15.1-darwin-x64.tar.gz aacdc9d5d8bbeaf47c398815147e052aac53cf19319f4c140c1798a82d419e65 node-v8.15.1-darwin-x64.tar.xz 6254529411abf790030fc72d43fe23f365799c198550e30d2fdc683f9407c299 node-v8.15.1-headers.tar.gz 6729d58fad4960259ea5233a87ef913e07b7a5118d4c6e3fecc4b3595c817345 node-v8.15.1-headers.tar.xz 0fcb30bc508097c0a13e7001a55f410802eda155c070cd5d125cd321332cc9f1 node-v8.15.1-linux-arm64.tar.gz 69e000d78342c3d39583922c57947a906ad723789d6294951deb10cbe8709605 node-v8.15.1-linux-arm64.tar.xz a4b0ca0cd8b21224f676f05f6b4760d368935eed21e8ab96ceedb454e70770b4 node-v8.15.1-linux-armv6l.tar.gz 2bca1485fdbfd2a905d28409450b512eeaeb020ea50b5027d697f15e70bffa95 node-v8.15.1-linux-armv6l.tar.xz e1fded2ef39967deef4f6a6921f86a66092c4bda1e9d207126fc7676797de98a node-v8.15.1-linux-armv7l.tar.gz 4be3cbf3bd0d0f30c8c2a3a4396fa1b78e6c5defc21dc176bf5da16782c4e1fa node-v8.15.1-linux-armv7l.tar.xz 6d122196856e633a645a07da25ada68ae8a841b8cdb962a69f6e9ec6110ee1bb node-v8.15.1-linux-ppc64le.tar.gz efca9b7ca623223ba97dafd16627461075d9fbc9cc9958e91d9a1ff0feb92dc2 node-v8.15.1-linux-ppc64le.tar.xz 6dd32604a69cb3bb22583842e9a39f88d1ebaf9275fc0c8a870bd13bca0a872b node-v8.15.1-linux-s390x.tar.gz 11e78c00c62e588947eff4a658ff9d1a8ad5c3540d387b9a3b28ef11838a8748 node-v8.15.1-linux-s390x.tar.xz 16e203f2440cffe90522f1e1855d5d7e2e658e759057db070a3dafda445d6d1f node-v8.15.1-linux-x64.tar.gz 5643b54c583eebaa40c1623b16cba4e3955ff5dfdd44036f6bafd761160c993d node-v8.15.1-linux-x64.tar.xz d7cb82569278baf46cac88128c0677e0499b066cd2dfe0223af82162e2a17185 node-v8.15.1-linux-x86.tar.gz ca5b9ed2377fca5e66f66fa4e9ce4b0ffce6e065651d1c6398989b79d1d8c829 node-v8.15.1-linux-x86.tar.xz b87fba0aade8caf51182e3ec3f6293cf8556b4368d7fb5f30e4679188c3b808a node-v8.15.1.pkg bba1611a98486958eaa6bd1b0e62f9e41bdafa12344482becb47bda34eff0357 node-v8.15.1-sunos-x64.tar.gz 8cefe86dbd5de7828a0fdd3f6217625dce783c8d5ba52b25fa4cd6c4dc22b758 node-v8.15.1-sunos-x64.tar.xz f2e4d7506f63268fba28583679ab0d0454bdd3c6826aa2f3f8fbd98914bfa1ef node-v8.15.1-sunos-x86.tar.gz 669b2a959b13ecdba7c722fbe21277dda4fca2b26b09899db493251986fe2060 node-v8.15.1-sunos-x86.tar.xz 413e0086bd3abde2dfdd3a905c061a6188cc0faceb819768a53ca9c6422418b4 node-v8.15.1.tar.gz 6b6486a3f452624941f6e11dd5f878c298d43e9c21b5f43ca1721dc7ce25add1 node-v8.15.1.tar.xz 539457de89d5c01f2b69452d0d6ddba812b0d321465df22c85aa39ef4a41da8b node-v8.15.1-win-x64.7z f636fa578dc079bacc6c4bef13284ddb893c99f7640b96701c2690bd9c1431f5 node-v8.15.1-win-x64.zip 1b65532abb5e1c78ef3b6766fbe849b44e33bbcc8da4a4340c3530eca77adc29 node-v8.15.1-win-x86.7z ce38c64c7f2921b1aa7f8bd4d2e89944f731b000fc8b7fc4930e957c75b04ea4 node-v8.15.1-win-x86.zip a2c41856db0c5663e967e5ef95eec2f968317a6dc7f0c0695c9d231c676c1c4f node-v8.15.1-x64.msi c6e9b1fc0d2defcec084abece599c173b88755c9968cd4cd4e462f2b7cdff166 node-v8.15.1-x86.msi 88c916e702e63de0530cdaacaa5f084d07dda590840c2adb297cdb470c7ddeaa win-x64/node.exe 6aee1f00180ccd12f48027d0ee531de0eef2ef391028800352dde77a1d87d161 win-x64/node.lib 0d2b0fa8c2432586dc1738ebe81126c7ca5a96e8acffc271859351714d0ec195 win-x64/node_pdb.7z 3add728eba3cd329819233604073457b9752b7dab6bbce420f1f7ccc0dd038dc win-x64/node_pdb.zip c21d787cbd585c0db2a02267bb56dd3e36e6d06f7388cdd01c96b60a49642338 win-x86/node.exe 3de0c35989d92515996dc42ed029716954706a01c728ccd5ebe37dc489483d60 win-x86/node.lib b046a83c3b4d5d029c929f3a739c2f97917e08547c16a3f9e6695d1f40c36ab4 win-x86/node_pdb.7z bb67de498e64e068110b7c36f657d1bd6b8d956d7821a323946d2af365503a3e win-x86/node_pdb.zip -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE3Y8jOLrnUB491ax4wnN5L32DVF0FAlx44TkACgkQwnN5L32D VF1Apgf/VrQvCUbc5zz7RAlFvZ3GAWyPTkacVuMRaC/8fu1aG7Bz2RcnBjQvRpv2 J2n4HEZ1waSN4gw6zup0Oxypl2fx9pi48tG2UqG390y6Ace6rv3JIZD19O4y65ZE rPWAvvLgNlB1/ctxD3sgkUHhAyA7Mz6eoRIq3DS0Jv49cLnHalelhGlcPNmFYpzK yagFEgj8Gy7EJzRMOJLOB5RypBXFt31gIreSy96wJz78Bwf3FJ1RhXRwMLcb8R53 fDUJihP/cpP+LOTIPH8b4+ojxPwBuePBIpEogDtPYnEEL6DbYk+G8m+fxv0sNAFc TzfNSZcE++oahwsV+FxCfQgFWga62g== =y2yr -----END PGP SIGNATURE-----