Thu, 25 Sep 2014 00:12:24 UTC - release

2014.09.24, Version 0.11.14 (Unstable)

  • uv: Upgrade to v1.0.0-rc1

  • http_parser: Upgrade to v2.3.0

  • npm: Upgrade to v2.0.0

  • openssl: Upgrade to v1.0.1i

  • v8: Upgrade to 3.26.33

  • Add fast path for simple URL parsing (Gabriel Wicke)

  • Added support for options parameter in console.dir() (Xavi Magrinyà)

  • Cluster: fix shared handles on Windows (Alexis Campailla)

  • buffer: Fix incorrect Buffer.compare behavior (Feross Aboukhadijeh)

  • buffer: construct new buffer from buffer toJSON() output (cjihrig)

  • buffer: improve Buffer constructor (Kang-Hao Kenny)

  • build: linking CoreFoundation framework for OSX (Thorsten Lorenz)

  • child_process: accept uid/gid everywhere (Fedor Indutny)

  • child_process: add path to spawn ENOENT Error (Ryan Cole)

  • child_process: copy spawnSync() cwd option to proper buffer (cjihrig)

  • child_process: do not access stderr when stdio set to 'ignore' (cjihrig)

  • child_process: don't throw on EAGAIN (Charles)

  • child_process: don't throw on EMFILE/ENFILE (Ben Noordhuis)

  • child_process: use full path for cmd.exe on Win32 (Ed Morley)

  • cluster: allow multiple calls to setupMaster() (Ryan Graham)

  • cluster: centralize removal from workers list. (Julien Gilli)

  • cluster: enable error/message events using .worker (cjihrig)

  • cluster: include settings object in 'setup' event (Ryan Graham)

  • cluster: restore v0.10.x setupMaster() behaviour (Ryan Graham)

  • cluster: support options in Worker constructor (cjihrig)

  • cluster: test events emit on cluster.worker (Sam Roberts)

  • console: console.dir() accepts options object (Xavi Magrinyà)

  • crypto: add honorCipherOrder argument (Fedor Indutny)

  • crypto: allow padding in RSA methods (Fedor Indutny)

  • crypto: clarify RandomBytes() error msg (Mickael van der Beek)

  • crypto: never store pointer to conn in SSL_CTX (Fedor Indutny)

  • crypto: unsigned value can't be negative (Brian White)

  • dgram: remove new keyword from errnoException (Jackson Tian)

  • dns: always set variable family in lookup() (cjihrig)

  • dns: include host name in error message if available (Maciej Małecki)

  • dns: introduce lookupService function (Saúl Ibarra Corretgé)

  • dns: send lookup c-ares errors to callback (Chris Dickinson)

  • dns: throw if hostname is not string or falsey (cjihrig)

  • events: Output the event that is leaking (Arnout Kazemier)

  • fs: close file if fstat() fails in readFile() (cjihrig)

  • fs: fs.readFile should not throw uncaughtException (Jackson Tian)

  • http: add 308 status_code, see RFC7238 (Yazhong Liu)

  • http: don't default OPTIONS to chunked encoding (Nick Muerdter)

  • http: fix bailout for writeHead (Alex Kocharin)

  • http: remove unused code block (Fedor Indutny)

  • http: write() after end() emits an error. (Julien Gilli)

  • lib, src: add vm.runInDebugContext() (Ben Noordhuis)

  • lib: noisy deprecation of child_process customFds (Ryan Graham)

  • module: don't require fs several times (Robert Kowalski)

  • net,dgram: workers can listen on exclusive ports (cjihrig)

  • net,stream: add isPaused, don't read() when paused (Chris Dickinson)

  • net: Ensure consistent binding to IPV6 if address is absent (Raymond Feng)

  • net: add remoteFamily for socket (Jackson Tian)

  • net: don't emit listening if handle is closed (Eli Skeggs)

  • net: don't prefer IPv4 addresses during resolution (cjihrig)

  • net: don't throw on net.Server.close() (cjihrig)

  • net: reset errorEmitted on reconnect (Ed Umansky)

  • node: set names for prototype methods (Trevor Norris)

  • node: support v8 microtask queue (Vladimir Kurchatkin)

  • path: fix slice OOB in trim (Lucio M. Tato)

  • path: isAbsolute() should always return boolean (Herman Lee)

  • process: throw TypeError if kill pid not a number (Sam Roberts)

  • querystring: custom encode and decode (fengmk2)

  • querystring: do not add sep for empty array (cjihrig)

  • querystring: remove prepended ? from query field (Ezequiel Rabinovich)

  • readline: fix close event of readline.Interface() (Yazhong Liu)

  • readline: fixes scoping bug (Dan Kaplun)

  • readline: implements keypress buffering (Dan Kaplun)

  • repl: fix multi-line input (Fedor Indutny)

  • repl: fix overwrite for this._prompt (Yazhong Liu)

  • repl: proper setPrompt() and multiline support (Fedor Indutny)

  • stream: don't try to finish if buffer is not empty (Vladimir Kurchatkin)

  • stream: only end reading on null, not undefined (Jonathan Reem)

  • streams: set default hwm properly for Duplex (Andrew Oppenlander)

  • string_bytes: ucs2 support big endian (Andrew Low)

  • tls, crypto: add DHE support (Shigeki Ohtsu)

  • tls: checkServerIdentity option (Trevor Livingston)

  • tls: add DHE-RSA-AES128-SHA256 to the def ciphers (Shigeki Ohtsu)

  • tls: better error reporting at cert validation (Fedor Indutny)

  • tls: support multiple keys/certs (Fedor Indutny)

  • tls: throw an error, not string (Jackson Tian)

  • udp: make it possible to receive empty udp packets (Andrius Bentkus)

  • url: treat the same as / (isaacs)

Source Code: http://nodejs.org/dist/v0.11.14/node-v0.11.14.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.11.14/node-v0.11.14.pkg

Windows Installer: http://nodejs.org/dist/v0.11.14/node-v0.11.14-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.11.14/x64/node-v0.11.14-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.11.14/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.11.14/node-v0.11.14-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.11.14/node-v0.11.14-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.11.14/node-v0.11.14-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.11.14/node-v0.11.14-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.11.14/

Website: http://nodejs.org/docs/v0.11.14/

Documentation: http://nodejs.org/docs/v0.11.14/api/

Shasums:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

aef6375b86ab40102ff6b879b60c042399fd6606  node-v0.11.14-darwin-x64.tar.gz
c0f1a9d8614513eeb9014aa385e01fd9177227bd  node-v0.11.14-darwin-x86.tar.gz
b3f2a9029e2a6cb3816be5ddcc9cf3dd87e145d6  node-v0.11.14-linux-x64.tar.gz
0c0e69ff51ce33afa192e030e082d4da34ab8060  node-v0.11.14-linux-x86.tar.gz
0308c18297398578de67abff012a7797bdbeb073  node-v0.11.14-sunos-x64.tar.gz
6411add5321401e774cb2ce2c8ca79f3a072dfc9  node-v0.11.14-sunos-x86.tar.gz
ec3fad6d8714ba6d9182974f0ee249d0e8d194b7  node-v0.11.14-x86.msi
38bc708503a91f17f3ea7b0a3a77028582d43a48  node-v0.11.14.pkg
159860fd6d27c9abf2254529e22fe67e385809d6  node-v0.11.14.tar.gz
b00d35d90de8ee133d282e5f15d038ffccc43b41  node.exe
1e7a51f619dd5f7b0d903267f87ed25d3171ccb1  node.exp
7999caa1359645cae722b03b38ebdfdd5b1972c0  node.lib
14fd5b212d48d9f42d9d24adb7b3a325d0472fe3  node.pdb
00c1cc43acf4853fdd2be5b549d3be0157b5f212  openssl-cli.exe
1ebfdc1d8572c2a167111bb11496b67cbf1177bf  openssl-cli.pdb
3f05fc2f4aa95e688bde41c3264ef9295f307ad0  x64/node-v0.11.14.20140819-x64.msi
7c808b88a4c1042ba806dfc32a79ced8cffce180  x64/node.exe
6b8f97668b44cc18ca5c3829a4082c620037d2c6  x64/node.exp
53368a3f8c37d6a716b6d78be1a20fc1e692c22a  x64/node.lib
8c524ce3726e503e4900658241983f364e5aed06  x64/node.pdb
aa1db1b7a5d2d5416c6a44023865f02f34812c29  x64/openssl-cli.exe
90b865ed6df55bde36d24ee7405bdc54b49b8c1e  x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlQjWPEACgkQfTP/nQJGQG0K1ACgoowg2K3mogTE3N3SZROZiGFb
NpMAn3ehnOxErnTUWrWUyuLZ4A7Ypv2u
=JFiI
-----END PGP SIGNATURE-----

Tue, 16 Sep 2014 23:52:44 UTC - release

2014.09.16, Version 0.10.32 (Stable)

  • npm: Update to 1.4.28

  • v8: fix a crash introduced by previous release (Fedor Indutny)

  • configure: add --openssl-no-asm flag (Fedor Indutny)

  • crypto: use domains for any callback-taking method (Chris Dickinson)

  • http: do not send 0rnrn in TE HEAD responses (Fedor Indutny)

  • querystring: fix unescape override (Tristan Berger)

  • url: Add support for RFC 3490 separators (Mathias Bynens)

Source Code: http://nodejs.org/dist/v0.10.32/node-v0.10.32.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.32/node-v0.10.32.pkg

Windows Installer: http://nodejs.org/dist/v0.10.32/node-v0.10.32-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.10.32/x64/node-v0.10.32-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.10.32/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.10.32/node-v0.10.32-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.10.32/node-v0.10.32-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.10.32/node-v0.10.32-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.10.32/node-v0.10.32-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.10.32/

Website: http://nodejs.org/docs/v0.10.32/

Documentation: http://nodejs.org/docs/v0.10.32/api/

Shasums:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

e2e1e876514ee33b2dd019c25dcb4bc7cdaff414  node-v0.10.32-darwin-x64.tar.gz
ff48e0be62f42e03218bbb00d5088251088f93bd  node-v0.10.32-darwin-x86.tar.gz
fadefc15a992d21bd19d0d3ec174390d1e7fcb72  node-v0.10.32-linux-x64.tar.gz
40fa3f0b0a3eaa3a6da7975b7935d0809d0e8ac7  node-v0.10.32-linux-x86.tar.gz
b171f2285b5088f125a36e88b5313364302882e8  node-v0.10.32-sunos-x64.tar.gz
ef213a76b4945ab13edb6833af47d8f77b4841ac  node-v0.10.32-sunos-x86.tar.gz
f2538f0037c017f245db6b54c6b8198bec2868c9  node-v0.10.32-x86.msi
6171c86864205400e5b670c1218614bb0c969107  node-v0.10.32.pkg
1d748171ba2a9568853ccec442c5f62c46fccc20  node-v0.10.32.tar.gz
2cb67e294fa7929bb5e51a3f51d53e6e8731bdc9  node.exe
00d6d8a5137ec5d37660c16b72f756a9e2bc92fe  node.exp
3688c7f807641af9f0c3858e34f5fc97ce8109fd  node.lib
3b3746d07c24d25b0a00f9a5a2a2967554d3d8cb  node.pdb
0fd292fd5911d1ef3d27dc60cf246c0dde2e8124  openssl-cli.exe
8d51cd58f156a07785a618e3f9065e2d6ea24ee6  openssl-cli.pdb
df83faf27410a6fb7f099c29338c52b7d4224e2f  x64/node-v0.10.32-x64.msi
0a52577221e7c5272cac2e5ef324c031ab23f13d  x64/node.exe
88682bc4dc10208fd2fb8505a1aa4155ab0e5790  x64/node.exp
1ea6d44876afdaf263e378918f1edc35630561f7  x64/node.lib
d1c5e98f218b3fec0ff3e6489ded94b8353191d6  x64/node.pdb
14664ceeed377f0d0e5f3f5ad00b56e80ac7c323  x64/openssl-cli.exe
653a3719ac038f9d05737c717cd44af9043d38c1  x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlQYzUAACgkQfTP/nQJGQG23+ACffME3MVg4mQsWHq5vY7HAms+b
brkAn32kNnqtOqV3QQ31xdJ+/4RLKLi/
=R3H/
-----END PGP SIGNATURE-----

Tue, 19 Aug 2014 22:12:08 UTC - release

2014.08.19, Version 0.10.31 (Stable)

  • v8: backport CVE-2013-6668

  • openssl: Update to v1.0.1i

  • npm: Update to v1.4.23

  • cluster: disconnect should not be synchronous (Sam Roberts)

  • fs: fix fs.readFileSync fd leak when get RangeError (Jackson Tian)

  • stream: fix Readable.wrap objectMode falsy values (James Halliday)

  • timers: fix timers with non-integer delay hanging. (Julien Gilli)

Source Code: http://nodejs.org/dist/v0.10.31/node-v0.10.31.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.31/node-v0.10.31.pkg

Windows Installer: http://nodejs.org/dist/v0.10.31/node-v0.10.31-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.10.31/x64/node-v0.10.31-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.10.31/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.10.31/node-v0.10.31-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.10.31/node-v0.10.31-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.10.31/node-v0.10.31-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.10.31/node-v0.10.31-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.10.31/

Website: http://nodejs.org/docs/v0.10.31/

Documentation: http://nodejs.org/docs/v0.10.31/api/

Shasums:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

863b3fa120f4122319c0caeead2c0ea609b08f72  node-v0.10.31-darwin-x64.tar.gz
ad2b5fc039f7a2377b38f63ec4a8c681e2ec78f7  node-v0.10.31-darwin-x86.tar.gz
0a47909aff7d52759972b0de915b624ede092ae2  node-v0.10.31-linux-x64.tar.gz
7b6841e2ecdee8bd4dd441a43671f50d878d2d84  node-v0.10.31-linux-x86.tar.gz
761dcfc520035cdd82f3813b9aac6645758e1319  node-v0.10.31-sunos-x64.tar.gz
d854aea39eba1d567f4a8d09cfdadba9bc4c55cb  node-v0.10.31-sunos-x86.tar.gz
bdec11406e09f5c86f117d263dd19bdcefbf2ca6  node-v0.10.31-x86.msi
02819349cb1add9a80678478f9f1001747745497  node-v0.10.31.pkg
80f2160b0525763b557742aa73d8dacf1a71e53c  node-v0.10.31.tar.gz
96ce878618748fb893828cf2beafe7306123edd8  node.exe
4313e2a9187781dfe39f6297e7826597b006dbb1  node.exp
9d0e24717526cacbb45a72f743f6dd927dc27633  node.lib
896d652532c5ca4a284fe768015d35a9ee31b205  node.pdb
d394cb4b0c2503cbad4e5b9db88b506f36520190  openssl-cli.exe
046e7d5e4a0db4f14f79c448d6eabe8ad9eb51bd  openssl-cli.pdb
3d472f087c60904238de60af375054e187494913  x64/node-v0.10.31-x64.msi
8fd456e9d10ce9da4433695d655ac56abf5816fa  x64/node.exe
928bf1c65f853f9891697627a53325fa74506318  x64/node.exp
fef0f550723e281b790408322b42358457598a53  x64/node.lib
b20b8c41581ee2eeb326217eb2a76fd762eaec67  x64/node.pdb
dacf285e445ca3cf9bf2147446d1c6621ec5e251  x64/openssl-cli.exe
9fc30c82e3cfecf5e4e40bc7b45a20161113b66d  x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlPzy7EACgkQfTP/nQJGQG1cxgCfQrq3/t+zd4tbXgqTiaYZTz07
LIgAn0VWYPZzTsdIeu4F2sH+r8UNRdXr
=zSrD
-----END PGP SIGNATURE-----

Thu, 31 Jul 2014 19:00:00 UTC - vulnerability

A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the process aborting while parsing.

This issue was identified by Tom Steele of ^Lift Security and Fedor Indunty, Node.js Core Team member worked closely with the V8 team to find our resolution.

The V8 issue is described here https://codereview.chromium.org/339883002

It has landed in the Node repository here: https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356

And has been released in the following versions:

The Fix

The backport of the fix for Node.js is

diff --git a/deps/v8/src/isolate.h b/deps/v8/src/isolate.h
index b90191d..2769ca7 100644
--- a/deps/v8/src/isolate.h
+++ b/deps/v8/src/isolate.h
@@ -1392,14 +1392,9 @@ class StackLimitCheck BASE_EMBEDDED {
  public:
   explicit StackLimitCheck(Isolate* isolate) : isolate_(isolate) { }

-  bool HasOverflowed() const {
+  inline bool HasOverflowed() const {
     StackGuard* stack_guard = isolate_->stack_guard();
-    // Stack has overflowed in C++ code only if stack pointer exceeds the C++
-    // stack guard and the limits are not set to interrupt values.
-    // TODO(214): Stack overflows are ignored if a interrupt is pending. This
-    // code should probably always use the initial C++ limit.
-    return (reinterpret_cast<uintptr_t>(this) < stack_guard->climit()) &&
-           stack_guard->IsStackOverflow();
+    return reinterpret_cast<uintptr_t>(this) < stack_guard->real_climit();
   }
  private:
   Isolate* isolate_;

Remediation

The best course of action is to patch or upgrade Node.js.

Mitigation

To mitigate against deep JSON parsing you can limit the size of the string you parse against, or ban clients who trigger a RangeError for parsing JSON.

There is no specific maximum size of a JSON string, though keeping the max to the size of your known message bodies is suggested. If your message bodies cannot be over 20K, there's no reason to accept 1MB bodies.

For web frameworks that do automatic JSON parsing, you may need to configure the routes that accept JSON payloads to have a maximum body size.

← Page 1

Page 3 →