Wednesday, 28 March, 2018 UTC


Summary

Notable Changes

  • Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
  • Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser Host value of localhost or localhost6.
  • Fix for 'path' module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.
  • Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces inside Content-Length header values. Such values now lead to rejected connections in the same way as non-numeric values.
  • Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.
  • cluster:
    • Add support for NODE_OPTIONS="--inspect" (Sameer Srivastava) #19165
  • crypto:
    • Expose the public key of a certificate (Hannes Magnusson) #17690
  • n-api:
    • Add napi_fatal_exception to trigger an uncaughtException in JavaScript (Mathias Buus) #19337
  • path:
    • Fix regression in posix.normalize (Michaël Zasso) #19520
  • stream:
    • Improve stream creation performance (Brian White) #19401
  • Added new collaborators
    • BethGriggs Beth Griggs

Commits

  • [926214aefe] - cluster: add support for NODE_OPTIONS="--inspect" (Sameer Srivastava) #19165
  • [6ead99aa73] - console: don't swallow call stack exceeded errors (Dan Kaplun) #19423
  • [02671dc12b] - crypto: update root certificates (Ben Noordhuis) #19322
  • [fd8c79ddfc] - (SEMVER-MINOR) crypto: add docs & tests for cert.pubkey & cert.fingerprint256 (Hannes Magnusson) #17690
  • [23312675cb] - (SEMVER-MINOR) crypto: provide full cert details to checkServerIdentity (Hannes Magnusson) #17690
  • [26e2938a50] - (SEMVER-MINOR) crypto: add cert.pubkey containing the raw pubkey of certificate (Hannes Magnusson) #17690
  • [f5d9324315] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836
  • [f5eb182b50] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389
  • [ddcb3fc886] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389
  • [d908169bad] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #19638
  • [0cd883fe09] - deps: upgrade openssl sources to 1.0.2o (Shigeki Ohtsu) #19638
  • [c39167dc26] - deps: reject interior blanks in Content-Length (Ben Noordhuis) nodejs-private/http-parser-private#1
  • [3bc15a69ae] - deps: upgrade http-parser to v2.8.0 (Ben Noordhuis) nodejs-private/http-parser-private#1
  • [6591d9f761] - deps: cherry-pick 0c35b72 from upstream V8 (Gus Caplan) #18038
  • [e533911696] - doc: remove use of "random port" re dgram send (Thomas Hunter II) #19620
  • [3894981af2] - doc: improve assert legacy text (Rich Trott) #19622
  • [8191ada9ae] - doc: improve Buffer() text (Rich Trott) #19567
  • [2fadc9ef68] - doc: fix run-on sentence in buffer.md (Rich Trott) #19567
  • [962c5816a2] - doc: change v-notation for version in buffer.md (Rich Trott) #19567
  • [5a2f336994] - doc: add missing fs.Stats.size section (Vse Mozhet Byt) #19583
  • [8653c42a41] - doc: rename HTTP2 to HTTP/2 (Timothy Gu) #19603
  • [b70ac0ab2e] - doc: remove confusing note about child process stdio (Anna Henningsen) #19552
  • [5e3d971f79] - doc: add BethGriggs to collaborators (Beth Griggs) #19610
  • [5e9f9297b3] - doc: document make docopen (Ayush Gupta) #19321
  • [4db7848e09] - doc: remove example labels from buffer.md (Rich Trott) #19582
  • [f07e820e6d] - doc: add 'v' prefix to all versions in metadata (Tobias Nießen) #19590
  • [7e9b7a5683] - doc: add missing metadata for fs.open (Tobias Nießen) #19585
  • [d47e5d022f] - doc: add link & simplify data event (net.Socket) (Christopher Hiller) #19487
  • [43f24c0406] - doc: add directory structure in writing-tests.md (juggernaut451) #18802
  • [157fc28710] - doc: add added in versions to fs.Stats properties (jvelezpo) #19266
  • [fa17002215] - doc: add missing metadata for settings.windowsHide (Tobias Nießen) #19578
  • [4532a8913d] - doc: add require.main to require properties (Vse Mozhet Byt) #19573
  • [1e8ece149a] - doc: add missing metadata for cluster.settings.cwd (Tobias Nießen) #19569
  • [933c58cd76] - doc: add types for some process properties (Vse Mozhet Byt) #19571
  • [ae0e243028] - doc: fix n-api example string (Steven R. Loomis) #19205
  • [7c9ba3db40] - doc: correct introduced_in metadata for buffer doc (Rich Trott) #19545
  • [1073f09cad] - doc: minor improvements to buffer.md (Rich Trott) #19547
  • [9845fc3e4a] - doc: Add a missing comma (jiangq) #19555
  • [d1c45e258c] - doc: update child_process.md (Ari Leo Frankel) #19075
  • [8e3f59fbb5] - doc: clarify child_process promise rejections (TomCoded) #19541
  • [e9f41eecc8] - doc: move StackOverflow to unofficial section (josephleon) #19416
  • [3f49174969] - doc: move who-to-cc to COLABORATOR_GUIDE.md (Rich Trott) #19460
  • [65c9a5278c] - doc: require passing CI for landing code (Rich Trott) #19458
  • [98d038a1f3] - doc: simplify COLLABORATOR_GUIDE.md instructions (Rich Trott) #19458
  • [e5bcd8d981] - doc: reduce CI options in COLLABORATOR_GUIDE.md (Rich Trott) #19458
  • [26e97a124d] - doc: add new documentation rule (estrada9166) #18726
  • [ed55386d74] - doc: add fs declarations to stream doc js examples (Ivan Filenko) #18804
  • [9c672624b3] - doc: remove **Note:** tags (James M Snell) #18592
  • [742b304ea3] - doc: warn about using util.inspect/util.format (James M Snell) #17791
  • [d3833b0734] - doc: update collaborator guide (Ruben Bridgewater) #19116
  • [c3886b50c9] - doc: add note about browsers and HTTP/2 (Steven) #19476
  • [cc7ba0bb9d] - doc: fix/improve inspector profiler example (Ali Ijaz Sheikh) #19379
  • [9c9263e7cc] - doc: add trivikr to collaborators (Trivikram) #19384
  • [5960cde4eb] - doc: fix changelog (Myles Borins) #19515
  • [b351e0eda6] - http: use more destructuring (Tobias Nießen) #19481
  • [49c0efd2a2] - http2: remove some unnecessary next ticks (James M Snell) #19451
  • [583d5afa5e] - inspector: do not allow host names (Eugene Ostroukhov)
  • [fc1a610a00] - inspector: check Host header for local connections (Eugene Ostroukhov)
  • [419e88ea4a] - lib,test: lint fixes for linter upgrade (Rich Trott) #19528
  • [fd8523fe44] - n-api: re-write test_make_callback (Gabriel Schulhof) #19448
  • [29a04b7ed6] - (SEMVER-MINOR) n-api: add napi_fatal_exception (Mathias Buus) #19337
  • [223b42648f] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389
  • [40916a27bc] - path: fix regression in posix.normalize (Michaël Zasso) #19520
  • [fad5dcce3b] - src: drop CNNIC+StartCom certificate whitelisting (Ben Noordhuis) #19322
  • [780a5d6f3a] - src: use unordered\_map for perf marks (Anna Henningsen) #19558
  • [f13cc3237e] - stream: improve stream creation performance (Brian White) #19401
  • [8996d3cf45] - test: remove third param from assert.strictEqual ([email protected]) #19536
  • [c1a327b0ed] - test: remove custom error message (DingDean) #19526
  • [9265f4bcb7] - test: remove string literal from assertions (Nathaniel Weeks) #19276
  • [efa38bd1a0] - test: remove message from assert.strictEqual() (willhayslett) #19525
  • [40be64d96d] - test: rename regression tests more expressively (Ujjwal Sharma) #19495
  • [0310df8fe6] - test: refactor parallel/test-tls-ca-concat.js (juggernaut451) #19092
  • [5f1a01d816] - test: fix buggy getTTYfd() implementation (Rich Trott) #17781
  • [c6b993bde7] - test: move firstInvalidFD() out of common module (Rich Trott) #17781
  • [8e69026962] - test: remove getTTYfd() from common module (Rich Trott) #17781
  • [a8d9ccf8fe] - test: remove common.projectDir (Rich Trott) #17781
  • [74582933c9] - test: refactor test-fs-readfile-tostring-fail (Rich Trott) #19404
  • [a56ba1258d] - tools: update certdata.txt (Ben Noordhuis) #19322
  • [e895d54224] - tools: simplify tools/doc/preprocess.js (Vse Mozhet Byt) #19539
  • [4c3465f68a] - tools: fix nits in tools/doc/common.js (Vse Mozhet Byt) #19599
  • [ab561c090b] - tools: shorten metadata parsing (Tobias Nießen) #19512
  • [0db7b8cd87] - tools: make metadata parsing less permissive (Tobias Nießen) #19512
  • [4007d6cbfe] - tools: update ESLint to 4.19.1 (Rich Trott) #19528
  • [89e7a5faad] - tools: fix nits in tools/doc/preprocess.js (Vse Mozhet Byt) #19473
  • [0414a8c7ed] - tools: fix logic nit in tools/doc/generate.js (Vse Mozhet Byt) #19475
Windows 32-bit Installer: https://nodejs.org/dist/v9.10.0/node-v9.10.0-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v9.10.0/node-v9.10.0-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v9.10.0/win-x86/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v9.10.0/win-x64/node.exe
macOS 64-bit Installer: https://nodejs.org/dist/v9.10.0/node-v9.10.0.pkg
macOS 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-darwin-x64.tar.gz
Linux 32-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-x86.tar.xz
Linux 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-x64.tar.xz
Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-ppc64le.tar.xz
Linux s390x 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-s390x.tar.xz
AIX 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-aix-ppc64.tar.gz
SunOS 32-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-sunos-x86.tar.xz
SunOS 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-sunos-x64.tar.xz
ARMv6 32-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-armv6l.tar.xz
ARMv7 32-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-armv7l.tar.xz
ARMv8 64-bit Binary: https://nodejs.org/dist/v9.10.0/node-v9.10.0-linux-arm64.tar.xz
Source Code: https://nodejs.org/dist/v9.10.0/node-v9.10.0.tar.gz
Other release files: https://nodejs.org/dist/v9.10.0/
Documentation: https://nodejs.org/docs/v9.10.0/api/

SHASUMS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

3ad90e0ed617eaa19d77d9d02c5c42f8b03560abbd02ddaa0db0016725660b9a  node-v9.10.0-aix-ppc64.tar.gz
c4b98cc2f3c00b770f24549de112902b56d57be7963a1047cd116b357bc61569  node-v9.10.0-darwin-x64.tar.gz
35a2e934d475aaca229d4d054365118bd303baa9c9954d087d0cee02ec42ba90  node-v9.10.0-darwin-x64.tar.xz
a41222cd88298b2e277cf1e04e88e9e962f9cbd0b0ce66837cea1f75ac21d33a  node-v9.10.0-headers.tar.gz
efda9c7d6344e529b3966ef7e95e89d93528490032d6d8df1af23581ae8c2393  node-v9.10.0-headers.tar.xz
2ff3351616e58d1355b643f6013cb45b30bf84aad523de05cdbf01d6c7b68e30  node-v9.10.0-linux-arm64.tar.gz
ba1d682aa1d5a12eeb39e7f51e4c67c6122b24482869ca2547c6f094eae90658  node-v9.10.0-linux-arm64.tar.xz
061f0a1d4563407626c826417f301913a6a6c61d12cc59b2f3ba806d995749b3  node-v9.10.0-linux-armv6l.tar.gz
42d1c45dc27686f9d3ea93472f0723139b72524c72b46f81fc1514fbcd9d7707  node-v9.10.0-linux-armv6l.tar.xz
8f1b5c62951f0dda9f3592d19198d8f8aea7a2c1ef43a6adf235ba8a65765e61  node-v9.10.0-linux-armv7l.tar.gz
bafe8061f6b27710ee64284c6a01793645eeb914bb711a9e6fc752a536ddfdc4  node-v9.10.0-linux-armv7l.tar.xz
fe4a120bc64065355956f22bf52695d35e68e7cefba6fcb94f6b53b445234b51  node-v9.10.0-linux-ppc64le.tar.gz
f727a1f8350656a7149021b1ceae6e83bffb520c4ce9e20d9e329036eee58ace  node-v9.10.0-linux-ppc64le.tar.xz
2f0693357d002f2e6be90bc2b6a9cf385b59a88adc2098a8afcbae3a8af88c6d  node-v9.10.0-linux-s390x.tar.gz
e0887c4605d2f796c5e95fd9096672b77bd1d43c01f11450f1f8019a9b0d816d  node-v9.10.0-linux-s390x.tar.xz
21a69c0f0181ec451444739d5c2f1df27cb96e7f328461dfa658e65846dc99ef  node-v9.10.0-linux-x64.tar.gz
b9bfffc03ef0e2c97d463619911552c7f5b1b8699de07bb913990a8b33800cb9  node-v9.10.0-linux-x64.tar.xz
c0113bc0ff5d48a5b2827ada0fa70ee9296f27b043ff4cec1f805374f7fe88f2  node-v9.10.0-linux-x86.tar.gz
1e96a62e76dd93d2a1f49d164b5e3bcfb5722844ef5ac15158c299f73cd446e3  node-v9.10.0-linux-x86.tar.xz
5959d1dec918b6585464c8022abcc0d2566931e4c2bcf0e4f5c935a737b3e742  node-v9.10.0.pkg
44b49e36b7bc853e15028c6af4837c7e9d95f08127d6751d274a2dfc5345552e  node-v9.10.0-sunos-x64.tar.gz
0b94e6d921f172f5ecb40b82f53d6bbf1836067b7897c7bd0362b450764221b8  node-v9.10.0-sunos-x64.tar.xz
19fadd9e2488fd377b771384b28fc4f274dbb2ae43aebefcbafd8e73a9a6a5cd  node-v9.10.0-sunos-x86.tar.gz
2385369de958788ecf5adaddabece9a4fae2646fffc1507993a71435cf5a82f5  node-v9.10.0-sunos-x86.tar.xz
e5654e552bcc7d011fe0c5bade53ba5c3acbd8d26bfda2cf57057537a03c8d76  node-v9.10.0.tar.gz
945a35a2599dfc0a306cdb3aae1c70034d6c28b03ab85daf8f2166fdaaade63a  node-v9.10.0.tar.xz
56bfb27221c35273d17ed2edac19ceaf62a2c76a1fd911af94b976c19e98345f  node-v9.10.0-win-x64.7z
3f159de87fd987e7bf30bbffce722e2e5133c44fc847883053359e9b08d6fa88  node-v9.10.0-win-x64.zip
0374a0cd01f932d836a032462ce7105b73850f7f4232a4f9b5cc77a506eba4a1  node-v9.10.0-win-x86.7z
833a0f4ea29ed16e61774918f38921c41e1e9f7ba53209e0442163e7d30bb3ed  node-v9.10.0-win-x86.zip
c053e4fe3b6c9f68231c28df41eb2569453abb0404c1fb22cc78a5cf2b967283  node-v9.10.0-x64.msi
d590505b28ee081c592efc82899d57418ee6c0665423a121589614e493281ad3  node-v9.10.0-x86.msi
bda61e2a5f0b4043475735743892649854710fb30e73335b2cd71d2349c1e13d  win-x64/node.exe
a280cbf7597330557094cf782896c42d2043f322349908d494be201cd77c6167  win-x64/node.lib
a6d89e52142d0953a4520c81d3b66a3ce9344106c9cf41d2e596fbc6b22f16d8  win-x64/node_pdb.7z
38481709e85e5e7d58d01ff4fadf73b7670f53db7550fe1ea882bb399d5900dd  win-x64/node_pdb.zip
280a5a8bc64f87c7288c310d4aacebd6916bad5948e9de7e544b533df3c89ea4  win-x86/node.exe
d80069347fa780a4e9864385e472d0d2da628a3ae7ee559f691700b609d571d1  win-x86/node.lib
b3516fa691896f723e05dba0dc15590e8ef35090333fd6b623c6a1dd0055dec9  win-x86/node_pdb.7z
0f1e89b86a807805b307699079de06b84f655bef3ecc6ac84619a91c0b113b7b  win-x86/node_pdb.zip
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEDv/hvO/ZyE49CYFSkzsB9AtcqUYFAlq7wk0ACgkQkzsB9Atc
qUZuAggAhvUCCGt8fOhW1i4t/GManaPYBME0zG+rJ85Ou/33q7CgQ//z5dWfRMb5
dzCNjK2FaEbdTH2PZkYIsG444zHqQWCHdlIJ2N2+Qg7+kJ+1WGiphi6ERtTCEK8n
M7TtlKBZIAqN8hcxVaNMLoJOa51GHiHQoyW7e8W7GCeCBOSBt7kvS9l1GJtV/D7J
AbHmE2MVJFp7i0AdVoanhMBtrAXKNjjseeFQAFUMG5t66oJUGDPWDdDEVyRu8kLd
fVQkWWWiXwbmwyGoX/ocS+OjFMgYTKCcuMswHIx5U7DQGaOynPWGJW3yk9goTwjD
PETIRrZngctYUrgJFiEWx7tJZ+ENiQ==
=tHfb
-----END PGP SIGNATURE-----