By default the agent options are passed to `net.createConnection()`
which sets the timeout on the socket immediately after creating it.
PR-URL: https://github.com/nodejs/node/pull/25489
Reviewed-By: Anna Henningsen <anna@addaleax.net>
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes:
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/156/
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes:
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/155/
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* Node.js: HTTP request splitting (CVE-2018-12116)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
(CVE-2018-5407)
Notable Changes:
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* Two-byte characters are now strictly disallowed for the `path` option in
HTTP client requests. Paths containing characters outside of the range
`\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
can be reverted if necessary by supplying the
`--security-revert=CVE-2018-12116` command line argument (this is not
recommended). Reported as security concern for Node.js 6 and 8 by
Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
Fünfstück applied to Node.js 10 and later.
(CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/154
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Debugger port 5858 listens on any interface by default
(CVE-2018-12120)
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* Node.js: HTTP request splitting (CVE-2018-12116)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
(CVE-2018-5407)
Notable Changes:
* debugger: Backport of https://github.com/nodejs/node/pull/8106 to
prevent the debugger from listening on `0.0.0.0`. It now defaults to
`127.0.0.1`. Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis).
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
(CVE-2018-12122 / Matteo Collina)
* Two-byte characters are now strictly disallowed for the `path` option in
HTTP client requests. Paths containing characters outside of the range
`\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
can be reverted if necessary by supplying the
`--security-revert=CVE-2018-12116` command line argument (this is not
recommended). Reported as security concern for Node.js 6 and 8 by
Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
Fünfstück applied to Node.js 10 and later.
(CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing
URLs with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/153
CVE-2018-12122
An attacker can send a char/s within headers and exahust the resources
(file descriptors) of a system even with a tight max header length
protection. This PR destroys a socket if it has not received the headers
in 40s.
PR-URL: https://github.com/nodejs-private/node-private/pull/144
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Notable changes:
* buffer:
* Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
(CVE-2018-12115)
* Fix unintentional exposure of uninitialized memory in `Buffer.alloc()`
(CVE-2018-7166)
* deps:
* Upgrade to OpenSSL 1.1.0i, fixing:
- Client DoS due to large DH parameter (CVE-2018-0732)
- ECDSA key extraction via local side-channel (CVE not assigned)
* Upgrade V8 from 6.7 to 6.8 (Michaël Zasso) #21079
- Memory reduction and performance improvements, details at:
https://v8project.blogspot.com/2018/06/v8-release-68.html
* http: `http.get()` and `http.request()` (and `https` variants) can now accept
three arguments to allow for a `URL` _and_ an `options` object
(Sam Ruby) #21616
* Added new collaborators
* Sam Ruby (https://github.com/rubys)
* George Adams (https://github.com/gdams)
