주요 변경사항
보안 릴리스입니다.
수정된 보안취약점:
- CVE-2019-15606: HTTP 헤더 값에는 끝에 공백이 있으면 안 됩니다.
- CVE-2019-15605: 잘못된 Transfer-Encoding 헤더를 사용한 HTTP 요청 스머글링.
- CVE-2019-15604: TLS 서버의 단언문을 잘못된 문자열로 원격 실행.
또한, HTTP 파싱이 더 안전하게 엄격해졌습니다. 일부 부적합한 HTTP 구현과
상호 운영에 문제를 일으킬 수 있으므로 --insecure-http-parser 명령행 플래그나
insecureHTTPParser http 옵션으로 엄격한 검사를 비활성화할 수 있습니다.
안전하지 않은 HTTP 파서를 사용하는 것은 피해야 합니다.
Commits
- [
209767c7a2] - benchmark: support optional headers with wrk (Sam Roberts) nodejs-private/node-private#189 - [
02c8905051] - crypto: fix assertion caused by unsupported ext (Fedor Indutny) nodejs-private/node-private#175 - [
25d6011912] - deps: update llhttp to 2.0.4 (Beth Griggs) nodejs-private/llhttp-private#1 - [
8162f0e194] - deps: upgrade http-parser to v2.9.3 (Sam Roberts) nodejs-private/http-parser-private#4 - [
d41314ef99] - (SEMVER-MINOR) deps: upgrade http-parser to v2.9.1 (Sam Roberts) #30473 - [
7fc565666c] - (SEMVER-MINOR) http: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) #31448 - [
496736ff78] - (SEMVER-MINOR) http: opt-in insecure HTTP header parsing (Sam Roberts) #30567 - [
76fd8910e9] - http: strip trailing OWS from header values (Sam Roberts) nodejs-private/node-private#189 - [
9cd155eb4a] - test: using TE to smuggle reqs is not possible (Sam Roberts) nodejs-private/node-private#192 - [
ab1fcb89cb] - test: check that --insecure-http-parser works (Sam Roberts) #31253
Windows 32-bit Installer: https://nodejs.org/dist/v12.15.0/node-v12.15.0-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v12.15.0/node-v12.15.0-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v12.15.0/win-x86/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v12.15.0/win-x64/node.exe
macOS 64-bit Installer: https://nodejs.org/dist/v12.15.0/node-v12.15.0.pkg
macOS 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-darwin-x64.tar.gz
Linux 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-linux-x64.tar.xz
Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-linux-ppc64le.tar.xz
Linux s390x 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-linux-s390x.tar.xz
AIX 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-aix-ppc64.tar.gz
SmartOS 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-sunos-x64.tar.xz
ARMv7 32-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-linux-armv7l.tar.xz
ARMv8 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-linux-arm64.tar.xz
Source Code: https://nodejs.org/dist/v12.15.0/node-v12.15.0.tar.gz
Other release files: https://nodejs.org/dist/v12.15.0/
Documentation: https://nodejs.org/docs/v12.15.0/api/
SHASUMS
1 | -----BEGIN PGP SIGNED MESSAGE----- |