diff options
| author | Myles Borins <mylesborins@google.com> | 2018-03-28 02:50:11 -0400 |
|---|---|---|
| committer | Myles Borins <mylesborins@google.com> | 2018-03-28 12:19:33 -0400 |
| commit | ffbcd1d1d154a793cf4f2db7fbca66f80ef374b5 (patch) | |
| tree | 784089e90b2e29b76925fb5798b6a9f402166b83 /CHANGELOG.md | |
| parent | ebe51d6492c3993020e1859b5269aa783fad0a4a (diff) | |
| download | node-new-ffbcd1d1d154a793cf4f2db7fbca66f80ef374b5.tar.gz | |
2018-03-28, Version 6.14.0 'Boron' (LTS)
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/113
Diffstat (limited to 'CHANGELOG.md')
| -rw-r--r-- | CHANGELOG.md | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index a1cb757ddb..1c8036c4ff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -69,7 +69,8 @@ release. <a href="doc/changelogs/CHANGELOG_V8.md#8.0.0">8.0.0</a><br/> </td> <td valign="top"> -<b><a href="doc/changelogs/CHANGELOG_V6.md#6.13.1">6.13.1</a></b><br/> +<b><a href="doc/changelogs/CHANGELOG_V6.md#6.14.0">6.14.0</a></b><br/> +<a href="doc/changelogs/CHANGELOG_V6.md#6.13.1">6.13.1</a><br/> <a href="doc/changelogs/CHANGELOG_V6.md#6.13.0">6.13.0</a><br/> <a href="doc/changelogs/CHANGELOG_V6.md#6.12.3">6.12.3</a><br/> <a href="doc/changelogs/CHANGELOG_V6.md#6.12.2">6.12.2</a><br/> |