Tue, 12 Nov 2013 20:52:56 UTC - release

2013.11.12, Version 0.10.22 (Stable)

  • npm: Upgrade to 1.3.14

  • uv: Upgrade to v0.10.19

  • child_process: don't assert on stale file descriptor events (Fedor Indutny)

  • darwin: Fix "Not Responding" in Mavericks activity monitor (Fedor Indutny)

  • debugger: Fix bug in sb() with unnamed script (Maxim Bogushevich)

  • repl: do not insert duplicates into completions (Maciej Małecki)

  • src: Fix memory leak on closed handles (Timothy J Fontaine)

  • tls: prevent stalls by using read(0) (Fedor Indutny)

  • v8: use correct timezone information on Solaris (Maciej Małecki)

Source Code: http://nodejs.org/dist/v0.10.22/node-v0.10.22.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.22/node-v0.10.22.pkg

Windows Installer: http://nodejs.org/dist/v0.10.22/node-v0.10.22-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.10.22/x64/node-v0.10.22-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.10.22/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.10.22/node-v0.10.22-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.10.22/node-v0.10.22-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.10.22/node-v0.10.22-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.10.22/node-v0.10.22-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.10.22/

Website: http://nodejs.org/docs/v0.10.22/

Documentation: http://nodejs.org/docs/v0.10.22/api/

Shasums:

3082a8d13dfafa7212a7f75bd0a83447fb4d7b99  node-v0.10.22-darwin-x64.tar.gz
dca37fa37c8ce3c0df68e74643ed822bec7a12b3  node-v0.10.22-darwin-x86.tar.gz
3739f75bbb85c920a237ceb1c34cb872409d61f7  node-v0.10.22-linux-x64.tar.gz
7e99b654c21bc2a5cbccc33f1bae3ce6e26b3d12  node-v0.10.22-linux-x86.tar.gz
3dfb3585386ca0645ba02b5ad06014ddccda8cbe  node-v0.10.22-sunos-x64.tar.gz
e6004f073fc81826335dc0c8fba04a82beada0bc  node-v0.10.22-sunos-x86.tar.gz
3beff0c7893e39df54e416307b624eb642bffa62  node-v0.10.22-x86.msi
b4433b98f87f3f06130adad410e2fb5f959bbf37  node-v0.10.22.pkg
d7c6a39dfa714eae1f8da7a00c9a07efd74a03b3  node-v0.10.22.tar.gz
0ff278f5d6225d2be2a51bd4c7ba8fa0d15e98a4  node.exe
6cded62495794c53f6642745d34cbeb7a28266b1  node.exp
caaa11790ac8ec40d074e141afa7ffa611f216b4  node.lib
3c7592832d403c93a17b29852f2c828760a45128  node.pdb
f335aef2844a6bf9d8d5a9782e7c631d730acc2e  pkgsrc/nodejs-ia32-0.10.22.tgz
6d47f98efd86faa71e1e9887aa63916e884bb2a8  pkgsrc/nodejs-x64-0.10.22.tgz
c3c169304c6371ee7bd119151bcbced61a322394  x64/node-v0.10.22-x64.msi
307de602a091fa2af3adaa64812200e32ee00fdc  x64/node.exe
67440fca57eb4be5800434245ef1a5d16f5aea01  x64/node.exp
e6ee29859cd069ff5b8bf749a598112d9f09ed3c  x64/node.lib
fee98420155b88c0c4b11616aa416d2328cec97d  x64/node.pdb

Wed, 30 Oct 2013 15:54:47 UTC - release

2013.10.30, Version 0.11.8 (Unstable)

  • uv: Upgrade to v0.11.14

  • v8: upgrade 3.21.18.3

  • assert: indicate if exception message is generated (Glen Mailer)

  • buffer: add buf.toArrayBuffer() API (Trevor Norris)

  • cluster: fix premature 'disconnect' event (Ben Noordhuis)

  • crypto: add SPKAC support (Jason Gerfen)

  • debugger: count space for line numbers correctly (Alex Kocharin)

  • debugger: make busy loops SIGUSR1-interruptible (Ben Noordhuis)

  • debugger: repeat last command (Alex Kocharin)

  • debugger: show current line, fix for #6150 (Alex Kocharin)

  • dgram: send() can accept strings (Trevor Norris)

  • dns: rename domain to hostname (Ben Noordhuis)

  • dns: set hostname property on error object (Ben Noordhuis)

  • dtrace, mdb_v8: support more string, frame types (Dave Pacheco)

  • http: add statusMessage (Patrik Stutz)

  • http: expose supported methods (Ben Noordhuis)

  • http: provide backpressure for pipeline flood (isaacs)

  • process: Add exitCode property (isaacs)

  • tls: socket.renegotiate(options, callback) (Fedor Indutny)

  • util: format as Error if instanceof Error (Rod Vagg)

Source Code: http://nodejs.org/dist/v0.11.8/node-v0.11.8.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.11.8/node-v0.11.8.pkg

Windows Installer: http://nodejs.org/dist/v0.11.8/node-v0.11.8-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.11.8/x64/node-v0.11.8-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.11.8/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.11.8/node-v0.11.8-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.11.8/node-v0.11.8-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.11.8/node-v0.11.8-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.11.8/node-v0.11.8-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.11.8/

Website: http://nodejs.org/docs/v0.11.8/

Documentation: http://nodejs.org/docs/v0.11.8/api/

Shasums:

1911bc1407fd116318edaa0cfd01bd664b2b352c  node-v0.11.8-darwin-x64.tar.gz
bac43c31e257e9f2deffb08c4154f522d5925825  node-v0.11.8-darwin-x86.tar.gz
1b2dac1788f3aad51ec643854ae57771792e6647  node-v0.11.8-linux-x64.tar.gz
1f674dd1ac15561dbf99ecf80d00e2cfcdc1a23b  node-v0.11.8-linux-x86.tar.gz
51d29f3624b18e75cf5736eedd62a55931551251  node-v0.11.8-sunos-x64.tar.gz
b995b05a3b14373c61faf4cd5c05157e06f410c8  node-v0.11.8-sunos-x86.tar.gz
5f6fd1f68d9f61c889c7a0148a6bfbb681a119b5  node-v0.11.8-x86.msi
95097ea074fa1b20c3bd46eae33a24935842149b  node-v0.11.8.pkg
21d3927c78adaaf3fe7cc9602ffb0a85de7f6ea0  node-v0.11.8.tar.gz
f735cf8b6404428087ba759dc21818b4d968e2ba  node.exe
c632e716ac2b303a4e2f3e0c81819b4020c9e0df  node.exp
dea16a4911693689c3981e19ae2fa77ea2884797  node.lib
0a5bfce12045512b1f4a0341d1381459e9731321  node.pdb
25b8d468c1ef53332834a46aaae0ee1820771871  pkgsrc/nodejs-ia32-0.11.8.tgz
fb16a45a0a467aa7661048a3d00d4e81c35bbf56  pkgsrc/nodejs-x64-0.11.8.tgz
b4b2c453404f5aa0d37fbce5d55ac1e030f3e7cc  x64/node-v0.11.8-x64.msi
799da7eb400d91b7eec157d25da0e138630f27e4  x64/node.exe
6482cce41d8a98ba55daaccc581929df018f2edf  x64/node.exp
7e2bb85b6ca45c4df487b9cca7d420e87170b272  x64/node.lib
1aa3a1f9d767e81dbdd1af1d13f221830c467d68  x64/node.pdb

Tue, 22 Oct 2013 17:42:10 UTC - vulnerability

Node.js is vulnerable to a denial of service attack when a client sends many pipelined HTTP requests on a single connection, and the client does not read the responses from the connection.

We recommend that anyone using Node.js v0.8 or v0.10 to run HTTP servers in production please update as soon as possible.

This is fixed in Node.js by pausing both the socket and the HTTP parser whenever the downstream writable side of the socket is awaiting a drain event. In the attack scenario, the socket will eventually time out, and be destroyed by the server. If the "attacker" is not malicious, but merely sends a lot of requests and reacts to them slowly, then the throughput on that connection will be reduced to what the client can handle.

There is no change to program semantics, and except in the pathological cases described, no changes to behavior.

If upgrading is not possible, then putting an HTTP proxy in front of the Node.js server can mitigate the vulnerability, but only if the proxy parses HTTP and is not itself vulnerable to a pipeline flood DoS.

For example, nginx will prevent the attack (since it closes connections after 100 pipelined requests by default), but HAProxy in raw TCP mode will not (since it proxies the TCP connection without regard for HTTP semantics).

This addresses CVE-2013-4450.

Fri, 18 Oct 2013 22:39:23 UTC - release

This release contains a security fix for the http server implementation, please upgrade as soon as possible. Details will be released soon.

2013.10.18, Version 0.10.21 (Stable)

  • uv: Upgrade to v0.10.18

  • crypto: clear errors from verify failure (Timothy J Fontaine)

  • dtrace: interpret two byte strings (Dave Pacheco)

  • fs: fix fs.truncate() file content zeroing bug (Ben Noordhuis)

  • http: provide backpressure for pipeline flood (isaacs)

  • tls: fix premature connection termination (Ben Noordhuis)

Source Code: http://nodejs.org/dist/v0.10.21/node-v0.10.21.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.21/node-v0.10.21.pkg

Windows Installer: http://nodejs.org/dist/v0.10.21/node-v0.10.21-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.10.21/x64/node-v0.10.21-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.10.21/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.10.21/node-v0.10.21-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.10.21/node-v0.10.21-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.10.21/node-v0.10.21-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.10.21/node-v0.10.21-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.10.21/

Website: http://nodejs.org/docs/v0.10.21/

Documentation: http://nodejs.org/docs/v0.10.21/api/

Shasums:

fb1318fb7721aa292310599e7c6696edebcfd70d  node-v0.10.21-darwin-x64.tar.gz
486235cc54d269d1961dfb150b1479ec14e83541  node-v0.10.21-darwin-x86.tar.gz
7528d2fa240a5dd88d37e4847cebec50ef40c8eb  node-v0.10.21-linux-x64.tar.gz
b372abf9d9c53bfe675e2c3f71dcfdece44edddd  node-v0.10.21-linux-x86.tar.gz
cb873cdff3f30aa198b52c8be3588745d2ee3933  node-v0.10.21-sunos-x64.tar.gz
020d202d7066b68f160d0ceebe8cc8306de25956  node-v0.10.21-sunos-x86.tar.gz
037ea0e3be3512da2bc94aa765fa89d61da3e275  node-v0.10.21-x86.msi
de2bd0e858f99098ef24f99f972b8088c1f0405c  node-v0.10.21.pkg
b7fd2a3660635af40e3719ca0db49280d10359b2  node-v0.10.21.tar.gz
a0e3988170beee1273a2fb6d650bf17db8495c67  node.exe
99332a03aeba8a22254d671665b9b2161a64bd84  node.exp
263dafeec907bd1f28ceb8272b9caaadceacb4d6  node.lib
76d578bf352772dc4db9ebb95fb61cf18e34c80d  node.pdb
b6d11b67ce7aaff5c7a456a4c85c80849a3d576e  pkgsrc/nodejs-ia32-0.10.21.tgz
b116825d1d2cbcfd567f730b1c2452424508b062  pkgsrc/nodejs-x64-0.10.21.tgz
29632c5a21a4ebf89703e417852306a676f6ede8  x64/node-v0.10.21-x64.msi
033b0a2b57e031a9e47f0b28eb4dc50a5389b592  x64/node.exe
f62b53229d77eaddf1f3a7909ef6533eea0e2295  x64/node.exp
8d5cfe83c3bc78ddcf79de9d065d1b4f2af9347e  x64/node.lib
6844e78e9ba80bfa48f6c150544e3e73d83dd316  x64/node.pdb

← Page 3

Page 5 →