Wed, 17 Dec 2014 22:15:16 UTC - release

2014.12.17, Version 0.10.34 (Stable)

  • uv: update to v0.10.30

  • zlib: upgrade to v1.2.8

  • child_process: check execFile args is an array (Sam Roberts)

  • child_process: check fork args is an array (Sam Roberts)

  • crypto: update root certificates (Ben Noordhuis)

  • domains: fix issues with abort on uncaught (Julien Gilli)

  • timers: Avoid linear scan in _unrefActive. (Julien Gilli)

  • timers: fix unref() memory leak (Trevor Norris)

  • v8: add api for aborting on uncaught exception (Julien Gilli)

  • debugger: fix when using "use strict" (Julien Gilli)

Source Code:

Macintosh Installer (Universal):

Windows Installer:

Windows x64 Installer:

Windows x64 Files:

Linux 32-bit Binary:

Linux 64-bit Binary:

Solaris 32-bit Binary:

Solaris 64-bit Binary:

Other release files:




Hash: SHA1

8df2fdb333dd8edee59ceaf72738e3773c7863e6  node-v0.10.34-darwin-x64.tar.gz
03168c2157baff928a397b85d8a7e6731b270f9a  node-v0.10.34-darwin-x86.tar.gz
f064a252827c8129126f0e8ab3c8bf46f92506ec  node-v0.10.34-linux-x64.tar.gz
fe0343f97c35aeb2c72bfd997dafde947ff44c23  node-v0.10.34-linux-x86.tar.gz
4b3ccf37886f8056800ed174688c8782f9857d52  node-v0.10.34-sunos-x64.tar.gz
ea891434436ed91d806201eb329d3c98f7e3c6b6  node-v0.10.34-sunos-x86.tar.gz
7609d6dda6071e499a54656bbf85f16ed097c106  node-v0.10.34-x86.msi
56e2aec59ac526d3daf607c7f50c2faf3e857cff  node-v0.10.34.pkg
a342eb4d653ab48ba016c0c0c259565c822881cc  node-v0.10.34.tar.gz
c71dce9dd3f3fbff34506a4edc3e37c59e31d7bd  node.exe
ffc836802c3b2e25b38f4f73c0f044fef345e152  node.exp
3e24f9c69826f320d303795c3564994e4311879f  node.lib
8ccb4fdaaaec797e0762cea38112af5456fe3f7e  node.pdb
fa0d0c098f475d6e1d6ad74c301a2361a9ac9888  openssl-cli.exe
72772212ff62ecbf76ca468f402184e3f364de51  openssl-cli.pdb
c54153231d0003792c4431cea38b9cb733a142b5  x64/node-v0.10.34-x64.msi
b84684c92ed41a883452eb65a3010223378eb1ca  x64/node.exe
c95e2dd11dc216c4b2d5a76852d2a0e7a8b247bc  x64/node.exp
41db33520c33c576e4591771c371ae5f2644cadf  x64/node.lib
d2ebec3f34e1a7e7969bfbe3330140f253b3cf9c  x64/node.pdb
b678c997ad7747c4c35dc8c8362730fca5bad97c  x64/openssl-cli.exe
f38f6eaae3aa2b11f3835b67f2dce04f4fc0fab8  x64/openssl-cli.pdb
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools -


Thu, 23 Oct 2014 19:12:33 UTC - release

This release handles the recent POODLE vulnerability by disabling SSLv2/SSLv3 by default for the most predominate uses of TLS in Node.js.

It took longer than expected to get this release accomplished in a way that would provide appropriate default security settings, while minimizing the surface area for the behavior change we were introducing. It was also important that we validated that our changes were being applied in the variety of configurations we support in our APIs.

With this release, we are confident that the only behavior change is that of the default allowed protocols do not include SSLv2 or SSLv3. Though you are still able to programatically consume those protocols if necessary.

Included is the documentation that you can find at that describes how this works going forward for client and server implementations.

Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these protocols are disabled. They are considered insecure and could be easily compromised as was shown by [CVE-2014-3566][]. However, in some situations, it may cause problems with legacy clients/servers (such as Internet Explorer 6). If you wish to enable SSLv2 or SSLv3, run node with the --enable-ssl2 or --enable-ssl3 flag respectively. In future versions of Node.js SSLv2 and SSLv3 will not be compiled in by default.

There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly specifying secureProtocol to 'SSLv3_method' or 'SSLv2_method'.

The default protocol method Node.js uses is SSLv23_method which would be more accurately named AutoNegotiate_method. This method will try and negotiate from the highest level down to whatever the client supports. To provide a secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3 and SSLv2 by setting the secureOptions to be SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2 (again, unless you have passed --enable-ssl3, or --enable-ssl2, or SSLv3_method as secureProtocol).

If you have set securityOptions to anything, we will not override your options.

The ramifications of this behavior change:

  • If your application is behaving as a secure server, clients who are SSLv3 only will now not be able to appropriately negotiate a connection and will be refused. In this case your server will emit a clientError event. The error message will include 'wrong version number'.
  • If your application is behaving as a secure client and communicating with a server that doesn't support methods more secure than SSLv3 then your connection won't be able to negotiate and will fail. In this case your client will emit a an error event. The error message will include 'wrong version number'.

2014.10.20, Version 0.10.33 (Stable)

  • openssl: Update to 1.0.1j (Addressing multiple CVEs)

  • uv: Update to v0.10.29

  • child_process: properly support optional args (cjihrig)

  • crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)

This is a behavior change, by default we will not allow the negotiation to SSLv2 or SSLv3. If you want this behavior, run Node.js with either --enable-ssl2 or --enable-ssl3 respectively.

This does not change the behavior for users specifically requesting SSLv2_method or SSLv3_method. While this behavior is not advised, it is assumed you know what you're doing since you're specifically asking to use these methods.

Source Code:

Macintosh Installer (Universal):

Windows Installer:

Windows x64 Installer:

Windows x64 Files:

Linux 32-bit Binary:

Linux 64-bit Binary:

Solaris 32-bit Binary:

Solaris 64-bit Binary:

Other release files:




Hash: SHA1

03e72005a4ed612aa7a984d840f148bfb76f3c5f  node-v0.10.33-darwin-x64.tar.gz
f40319ad8720d350ea45e56d5d9018c244482ddc  node-v0.10.33-darwin-x86.tar.gz
4eba69caf7368d7f388700eb02996f85b06f457a  node-v0.10.33-linux-x64.tar.gz
62a58b74851350a935e781d216484966b04ae097  node-v0.10.33-linux-x86.tar.gz
aea7f541e21b57a07b15ab8d825c43f04a2f7440  node-v0.10.33-sunos-x64.tar.gz
97b1d889a299afd6f0c0bb320646d92b7c498d01  node-v0.10.33-sunos-x86.tar.gz
8a637d14609208d31fe466cd4961bec58a8f8f9b  node-v0.10.33-x86.msi
81fcb80d7181768a7211a337c084b4a0b139dd74  node-v0.10.33.pkg
69aeeade5fef622c3150cfc2b4a8f70eea1ef1ec  node-v0.10.33.tar.gz
69275030a0549c27189a8f25396997deb70462ad  node.exe
13dc334420abeaab9b7b3d184e0c5126250ce4e7  node.exp
0379528f6d65eef73ceaeaf9acfe327648a9bc83  node.lib
c23021453a5331954929cff26f7a7f5131af4351  node.pdb
0fe937289a228a5bbc4fc97664eabbdc3a9792e5  openssl-cli.exe
e1cff728f900bda134973666f75aae52a2d60e86  openssl-cli.pdb
6173345fb3c8388abb2a415b99bb4962ebd8e123  x64/node-v0.10.33-x64.msi
a4142d8a122317cc2e32caa643def2797e5f2cd7  x64/node.exe
e067c6d6904a15a494b6b9f3e84cb07dc738c2ea  x64/node.exp
63567e086a965f3ae452b6caace401592cd8c0ec  x64/node.lib
e2cedfc1dd02f1d365314b162167ffb12d1cb0b1  x64/node.pdb
68d60b60f03e703184a10d0a6adff69d9302b93e  x64/openssl-cli.exe
4cd9e8bcf4fa9134a2e84473ec3d7d4b4cd31013  x64/openssl-cli.pdb
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools -


Thu, 25 Sep 2014 00:12:24 UTC - release

2014.09.24, Version 0.11.14 (Unstable)

  • uv: Upgrade to v1.0.0-rc1

  • http_parser: Upgrade to v2.3.0

  • npm: Upgrade to v2.0.0

  • openssl: Upgrade to v1.0.1i

  • v8: Upgrade to 3.26.33

  • Add fast path for simple URL parsing (Gabriel Wicke)

  • Added support for options parameter in console.dir() (Xavi Magrinyà)

  • Cluster: fix shared handles on Windows (Alexis Campailla)

  • buffer: Fix incorrect behavior (Feross Aboukhadijeh)

  • buffer: construct new buffer from buffer toJSON() output (cjihrig)

  • buffer: improve Buffer constructor (Kang-Hao Kenny)

  • build: linking CoreFoundation framework for OSX (Thorsten Lorenz)

  • child_process: accept uid/gid everywhere (Fedor Indutny)

  • child_process: add path to spawn ENOENT Error (Ryan Cole)

  • child_process: copy spawnSync() cwd option to proper buffer (cjihrig)

  • child_process: do not access stderr when stdio set to 'ignore' (cjihrig)

  • child_process: don't throw on EAGAIN (Charles)

  • child_process: don't throw on EMFILE/ENFILE (Ben Noordhuis)

  • child_process: use full path for cmd.exe on Win32 (Ed Morley)

  • cluster: allow multiple calls to setupMaster() (Ryan Graham)

  • cluster: centralize removal from workers list. (Julien Gilli)

  • cluster: enable error/message events using .worker (cjihrig)

  • cluster: include settings object in 'setup' event (Ryan Graham)

  • cluster: restore v0.10.x setupMaster() behaviour (Ryan Graham)

  • cluster: support options in Worker constructor (cjihrig)

  • cluster: test events emit on cluster.worker (Sam Roberts)

  • console: console.dir() accepts options object (Xavi Magrinyà)

  • crypto: add honorCipherOrder argument (Fedor Indutny)

  • crypto: allow padding in RSA methods (Fedor Indutny)

  • crypto: clarify RandomBytes() error msg (Mickael van der Beek)

  • crypto: never store pointer to conn in SSL_CTX (Fedor Indutny)

  • crypto: unsigned value can't be negative (Brian White)

  • dgram: remove new keyword from errnoException (Jackson Tian)

  • dns: always set variable family in lookup() (cjihrig)

  • dns: include host name in error message if available (Maciej Małecki)

  • dns: introduce lookupService function (Saúl Ibarra Corretgé)

  • dns: send lookup c-ares errors to callback (Chris Dickinson)

  • dns: throw if hostname is not string or falsey (cjihrig)

  • events: Output the event that is leaking (Arnout Kazemier)

  • fs: close file if fstat() fails in readFile() (cjihrig)

  • fs: fs.readFile should not throw uncaughtException (Jackson Tian)

  • http: add 308 status_code, see RFC7238 (Yazhong Liu)

  • http: don't default OPTIONS to chunked encoding (Nick Muerdter)

  • http: fix bailout for writeHead (Alex Kocharin)

  • http: remove unused code block (Fedor Indutny)

  • http: write() after end() emits an error. (Julien Gilli)

  • lib, src: add vm.runInDebugContext() (Ben Noordhuis)

  • lib: noisy deprecation of child_process customFds (Ryan Graham)

  • module: don't require fs several times (Robert Kowalski)

  • net,dgram: workers can listen on exclusive ports (cjihrig)

  • net,stream: add isPaused, don't read() when paused (Chris Dickinson)

  • net: Ensure consistent binding to IPV6 if address is absent (Raymond Feng)

  • net: add remoteFamily for socket (Jackson Tian)

  • net: don't emit listening if handle is closed (Eli Skeggs)

  • net: don't prefer IPv4 addresses during resolution (cjihrig)

  • net: don't throw on net.Server.close() (cjihrig)

  • net: reset errorEmitted on reconnect (Ed Umansky)

  • node: set names for prototype methods (Trevor Norris)

  • node: support v8 microtask queue (Vladimir Kurchatkin)

  • path: fix slice OOB in trim (Lucio M. Tato)

  • path: isAbsolute() should always return boolean (Herman Lee)

  • process: throw TypeError if kill pid not a number (Sam Roberts)

  • querystring: custom encode and decode (fengmk2)

  • querystring: do not add sep for empty array (cjihrig)

  • querystring: remove prepended ? from query field (Ezequiel Rabinovich)

  • readline: fix close event of readline.Interface() (Yazhong Liu)

  • readline: fixes scoping bug (Dan Kaplun)

  • readline: implements keypress buffering (Dan Kaplun)

  • repl: fix multi-line input (Fedor Indutny)

  • repl: fix overwrite for this._prompt (Yazhong Liu)

  • repl: proper setPrompt() and multiline support (Fedor Indutny)

  • stream: don't try to finish if buffer is not empty (Vladimir Kurchatkin)

  • stream: only end reading on null, not undefined (Jonathan Reem)

  • streams: set default hwm properly for Duplex (Andrew Oppenlander)

  • string_bytes: ucs2 support big endian (Andrew Low)

  • tls, crypto: add DHE support (Shigeki Ohtsu)

  • tls: checkServerIdentity option (Trevor Livingston)

  • tls: add DHE-RSA-AES128-SHA256 to the def ciphers (Shigeki Ohtsu)

  • tls: better error reporting at cert validation (Fedor Indutny)

  • tls: support multiple keys/certs (Fedor Indutny)

  • tls: throw an error, not string (Jackson Tian)

  • udp: make it possible to receive empty udp packets (Andrius Bentkus)

  • url: treat the same as / (isaacs)

Source Code:

Macintosh Installer (Universal):

Windows Installer:

Windows x64 Installer:

Windows x64 Files:

Linux 32-bit Binary:

Linux 64-bit Binary:

Solaris 32-bit Binary:

Solaris 64-bit Binary:

Other release files:




Hash: SHA1

aef6375b86ab40102ff6b879b60c042399fd6606  node-v0.11.14-darwin-x64.tar.gz
c0f1a9d8614513eeb9014aa385e01fd9177227bd  node-v0.11.14-darwin-x86.tar.gz
b3f2a9029e2a6cb3816be5ddcc9cf3dd87e145d6  node-v0.11.14-linux-x64.tar.gz
0c0e69ff51ce33afa192e030e082d4da34ab8060  node-v0.11.14-linux-x86.tar.gz
0308c18297398578de67abff012a7797bdbeb073  node-v0.11.14-sunos-x64.tar.gz
6411add5321401e774cb2ce2c8ca79f3a072dfc9  node-v0.11.14-sunos-x86.tar.gz
ec3fad6d8714ba6d9182974f0ee249d0e8d194b7  node-v0.11.14-x86.msi
38bc708503a91f17f3ea7b0a3a77028582d43a48  node-v0.11.14.pkg
159860fd6d27c9abf2254529e22fe67e385809d6  node-v0.11.14.tar.gz
b00d35d90de8ee133d282e5f15d038ffccc43b41  node.exe
1e7a51f619dd5f7b0d903267f87ed25d3171ccb1  node.exp
7999caa1359645cae722b03b38ebdfdd5b1972c0  node.lib
14fd5b212d48d9f42d9d24adb7b3a325d0472fe3  node.pdb
00c1cc43acf4853fdd2be5b549d3be0157b5f212  openssl-cli.exe
1ebfdc1d8572c2a167111bb11496b67cbf1177bf  openssl-cli.pdb
3f05fc2f4aa95e688bde41c3264ef9295f307ad0  x64/node-v0.11.14.20140819-x64.msi
7c808b88a4c1042ba806dfc32a79ced8cffce180  x64/node.exe
6b8f97668b44cc18ca5c3829a4082c620037d2c6  x64/node.exp
53368a3f8c37d6a716b6d78be1a20fc1e692c22a  x64/node.lib
8c524ce3726e503e4900658241983f364e5aed06  x64/node.pdb
aa1db1b7a5d2d5416c6a44023865f02f34812c29  x64/openssl-cli.exe
90b865ed6df55bde36d24ee7405bdc54b49b8c1e  x64/openssl-cli.pdb
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools -


Tue, 16 Sep 2014 23:52:44 UTC - release

2014.09.16, Version 0.10.32 (Stable)

  • npm: Update to 1.4.28

  • v8: fix a crash introduced by previous release (Fedor Indutny)

  • configure: add --openssl-no-asm flag (Fedor Indutny)

  • crypto: use domains for any callback-taking method (Chris Dickinson)

  • http: do not send 0rnrn in TE HEAD responses (Fedor Indutny)

  • querystring: fix unescape override (Tristan Berger)

  • url: Add support for RFC 3490 separators (Mathias Bynens)

Source Code:

Macintosh Installer (Universal):

Windows Installer:

Windows x64 Installer:

Windows x64 Files:

Linux 32-bit Binary:

Linux 64-bit Binary:

Solaris 32-bit Binary:

Solaris 64-bit Binary:

Other release files:




Hash: SHA1

e2e1e876514ee33b2dd019c25dcb4bc7cdaff414  node-v0.10.32-darwin-x64.tar.gz
ff48e0be62f42e03218bbb00d5088251088f93bd  node-v0.10.32-darwin-x86.tar.gz
fadefc15a992d21bd19d0d3ec174390d1e7fcb72  node-v0.10.32-linux-x64.tar.gz
40fa3f0b0a3eaa3a6da7975b7935d0809d0e8ac7  node-v0.10.32-linux-x86.tar.gz
b171f2285b5088f125a36e88b5313364302882e8  node-v0.10.32-sunos-x64.tar.gz
ef213a76b4945ab13edb6833af47d8f77b4841ac  node-v0.10.32-sunos-x86.tar.gz
f2538f0037c017f245db6b54c6b8198bec2868c9  node-v0.10.32-x86.msi
6171c86864205400e5b670c1218614bb0c969107  node-v0.10.32.pkg
1d748171ba2a9568853ccec442c5f62c46fccc20  node-v0.10.32.tar.gz
2cb67e294fa7929bb5e51a3f51d53e6e8731bdc9  node.exe
00d6d8a5137ec5d37660c16b72f756a9e2bc92fe  node.exp
3688c7f807641af9f0c3858e34f5fc97ce8109fd  node.lib
3b3746d07c24d25b0a00f9a5a2a2967554d3d8cb  node.pdb
0fd292fd5911d1ef3d27dc60cf246c0dde2e8124  openssl-cli.exe
8d51cd58f156a07785a618e3f9065e2d6ea24ee6  openssl-cli.pdb
df83faf27410a6fb7f099c29338c52b7d4224e2f  x64/node-v0.10.32-x64.msi
0a52577221e7c5272cac2e5ef324c031ab23f13d  x64/node.exe
88682bc4dc10208fd2fb8505a1aa4155ab0e5790  x64/node.exp
1ea6d44876afdaf263e378918f1edc35630561f7  x64/node.lib
d1c5e98f218b3fec0ff3e6489ded94b8353191d6  x64/node.pdb
14664ceeed377f0d0e5f3f5ad00b56e80ac7c323  x64/openssl-cli.exe
653a3719ac038f9d05737c717cd44af9043d38c1  x64/openssl-cli.pdb
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools -


Page 2 →