Notable Changes
This is a security release.
Vulnerabilities fixed:
- CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
- CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
- CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
--insecure-http-parser
command line flag, or the insecureHTTPParser
http option. Using the insecure HTTP parser should be avoided.
Commits
- [
b7da194714
] - benchmark: support optional headers with wrk (Sam Roberts) nodejs-private/node-private#189
- [
1156a9e5f8
] - crypto: fix assertion caused by unsupported ext (Fedor Indutny) nodejs-private/node-private#175
- [
8f41e837bb
] - deps: update llhttp to 2.0.4 (Beth Griggs) nodejs-private/node-private#199
- [
07d56e49cf
] - (SEMVER-MINOR) http: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) #31448
- [
25b6897e8a
] - http: strip trailing OWS from header values (Sam Roberts) nodejs-private/node-private#189
- [
eea3a7429b
] - test: using TE to smuggle reqs is not possible (Sam Roberts) nodejs-private/node-private#199
Windows 32-bit Installer: https://nodejs.org/dist/v13.8.0/node-v13.8.0-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v13.8.0/node-v13.8.0-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v13.8.0/win-x86/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v13.8.0/win-x64/node.exe
macOS 64-bit Installer: https://nodejs.org/dist/v13.8.0/node-v13.8.0.pkg
macOS 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-darwin-x64.tar.gz
Linux 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-linux-x64.tar.xz
Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-linux-ppc64le.tar.xz
Linux s390x 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-linux-s390x.tar.xz
AIX 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-aix-ppc64.tar.gz
SmartOS 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-sunos-x64.tar.xz
ARMv7 32-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-linux-armv7l.tar.xz
ARMv8 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-linux-arm64.tar.xz
Source Code: https://nodejs.org/dist/v13.8.0/node-v13.8.0.tar.gz
Other release files: https://nodejs.org/dist/v13.8.0/
Documentation: https://nodejs.org/docs/v13.8.0/api/
SHASUMS
[INSERT SHASUMS HERE]