node 发布版本: 2018-08-15, Version 10.9.0 (Current), @rvagg

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  • CVE-2018-0732 (OpenSSL)
  • CVE-2018-7166 (Node.js)
  • CVE-2018-12115 (Node.js)

Notable Changes

  • buffer:
    • Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115)
    • Fix unintentional exposure of uninitialized memory in Buffer.alloc() (CVE-2018-7166)
  • deps:
    • Upgrade to OpenSSL 1.1.0i, fixing:
      • Client DoS due to large DH parameter (CVE-2018-0732)
      • ECDSA key extraction via local side-channel (CVE not assigned)
    • Upgrade V8 from 6.7 to 6.8 (Michaël Zasso) #21079
  • http: http.get() and http.request() (and https variants) can now accept three arguments to allow for a URL and an options object (Sam Ruby) #21616
  • Added new collaborators

Commits

  • [58a9ae118e] - assert: fix loose assert with map and set (Ruben Bridgewater) #22145
  • [1c577016b8] - benchmark: improve assert benchmarks (Ruben Bridgewater) #22211
  • [734323d9eb] - buffer: stop alloc() uninitialized memory return (cjihrig) nodejs-private/node-private#137
  • [2c4c17b708] - buffer: avoid overrun on UCS-2 string write (Rod Vagg) nodejs-private/node-private#138
  • [6622ac798d] - buffer: use FastBuffer when fill is set to 0 (Сковорода Никита Андреевич) #21989
  • [f506a5f46e] - build: make --shared-[...]-path work on Windows (Jeremy Apthorp) #21530
  • [1be6fb93c8] - build: add CONFIG_FLAGS to with-code-cache target (Daniel Bevenius) #22207
  • [4520bb8a73] - build: make tools/doc/node_modules non-phony (Daniel Bevenius) #22189
  • [c42ff4ebd8] - build: add crypto check to build targets (Daniel Bevenius) #22148
  • [cdb8c1b44d] - build: extract common parts from addon .buildstamp (Daniel Bevenius) #22171
  • [1e7a8c3016] - build: reset embedder string to "-node.0" (Michaël Zasso) #21079
  • [86ab2c041e] - crypto: remove unused SSLWrap handle methods (Jon Moss) #22216
  • [9212875406] - crypto: simplify state failure handling (Tobias Nießen) #22131
  • [916a1d59f0] - crypto: simplify Hmac::HmacUpdate (Tobias Nießen) #22132
  • [2dc7f17e8b] - (SEMVER-MINOR) crypto: add better scrypt option aliases (Anna Henningsen) #21525
  • [fcf422e921] - deps: backport c608122b from upstream (Ruben Bridgewater) #22210
  • [a07ccaeb19] - deps: update archs files for OpenSSL-1.1.0i (Shigeki Ohtsu) #22318
  • [473996c90f] - deps: add s390 asm rules for OpenSSL-1.1.0 (Shigeki Ohtsu) #19794
  • [05e48fd018] - deps: upgrade openssl sources to 1.1.0i (Shigeki Ohtsu) #22318
  • [f8bc5d6320] - deps: cherry-pick 09bca09 from upstream V8 (Matheus Marchini) #22068
  • [c69fdc9d5f] - (SEMVER-MINOR) deps: remove thread_local to fix V8 compilation (Peter Marshall) #21668
  • [981fff714e] - deps: refactor v8.gyp (Michaël Zasso) #22017
  • [5fa3ffad20] - (SEMVER-MINOR) deps: patch the V8 API to be backwards compatible with 6.7 (Peter Marshall) #21668
  • [6eed40acbb] - deps: cherry-pick 804a693 from upstream V8 (Matheus Marchini) #21855
  • [7eccaf86d6] - deps: V8: Backport of 0dd3390 from upstream (James M Snell) #21899
  • [328c89925a] - deps: cherry-pick 907d7bc from upstream V8 (Michaël Zasso) #21838
  • [afacfd2992] - deps: cherry-pick 2075910 from upstream V8 (Michaël Zasso) #21838
  • [4f24256274] - deps: cherry-pick 555c811 from upstream V8 (Anna Henningsen) #21741
  • [7b4272a14d] - deps: cherry-pick 477df06 from upstream v8 (Gus Caplan) #21644
  • [a0bf7aa07c] - deps: cherry-pick 70c4340 from upstream V8 (Matheus Marchini) #21126
  • [4994ac65b0] - deps: cherry-pick acc336c from upstream V8 (Matheus Marchini) #21126
  • [be569f82f1] - deps: cherry-pick b20faff from upstream V8 (Matheus Marchini) #21126
  • [6df5feb13f] - deps: cherry-pick aa6ce3e from upstream V8 (Michaël Zasso) #21079
  • [8b9a956f9e] - deps: cherry-pick 5dd3395 from upstream V8 (Matheus Marchini) #21386
  • [548008a6f6] - deps: update v8.gyp and run Torque (Michaël Zasso) #21079
  • [9c74271a96] - deps: update V8 to 6.8.275.24 (Michaël Zasso) #21079
  • [a3f3c40966] - doc: simplify urlObject.hash text (Rich Trott) #22326
  • [d2848697dc] - doc: simplify urlObject.hash description (Rich Trott) #22326
  • [6d29986f4d] - doc: simplify format description of urlObject.auth (Rich Trott) #22324
  • [a658a4df34] - doc: remove redundant explanation of format (Rich Trott) #22324
  • [3236697c0b] - doc: use italics for words-as-words (Rich Trott) #22324
  • [da76b61f59] - doc: bump ICU version to avoid confusion (Csaba Palfi) #22313
  • [e04b0532bf] - doc: document 'inherit' option for stdio (non-shorthand) (James Bromwell) #22309
  • [882c2c017a] - doc: clarify http2 docs around class exports (James M Snell) #22247
  • [dd96ba5b89] - doc: add multiple issue templates for GitHub (Tobias Nießen) #22215
  • [d95a22c304] - doc: declare all parameter types (Sam Ruby) #21782
  • [9e25028981] - doc: add missing option for child_process.spawnSync() (James Bromwell) #22231
  • [ef8d0fc490] - doc: list encodings supported by buffer.transcode (James M Snell) #22263
  • [1b41cd44b5] - doc: discuss special protocol handling (James M Snell) #22261
  • [cea8d4f4e9] - doc: replace _WG_ with _team_ (Rich Trott) #22183
  • [fafdae4ce1] - doc: add subprocess.ref() and subprocess.unref() (Thomas Hunter II) #22220
  • [d4f3615aaf] - doc: add gdams to collaborators (George Adams) #22236
  • [e75885f2e6] - doc: specify options parameter type in zlib.md (Vse Mozhet Byt) #21920
  • [40af9767a2] - doc: declare all parameter types (Sam Ruby) #21782
  • [38dd407c83] - doc: remove unused error codes from errors.md (Сковорода Никита Андреевич) #21491
  • [6c7733f58a] - doc: update recommendations for createCipher (Tobias Nießen) #22087
  • [34300aaaa4] - doc: correct crypto.randomFill() and randomFillSync() (Gerhard Stoebich) #21550
  • [28870a46ac] - doc: add rubys to collaborators (Sam Ruby) #22109
  • [d2ad9a2c13] - doc: fix return type of server.address() (Weijia Wang) #22043
  • [168abb5801] - doc: rename stackStartFunction in assert.md (Eugene Y. Q. Shen) #22077
  • [d364f9c8e7] - doc: fix changelog for v10.8.0 (Michaël Zasso) #22072
  • [abac0c56b8] - doc: mark DEP0004 and DEP0042 as End-of-Life (Jon Moss) #22033
  • [c6a56ae23e] - doc: correct grammatical error in BUILDING.md (Brandon Lee) #22067
  • [29bc55320c] - doc: fixup process.binding deprecation code (James M Snell) #22062
  • [ec9d529a32] - doc: documentation deprecation of process.binding (James M Snell) #22004
  • [37369eba38] - (SEMVER-MINOR) http: allow url and options to be passed to http*.request and http*.get (Sam Ruby) #21616
  • [1ca46ab6f4] - http,tls: name anonymous callbacks (Marco Levrero) #21412
  • [8d226c6a79] - http2: correcting the heading format (Anto Aravinth) #22262
  • [7223a91a50] - http2: explicitly disallow nested push streams (James M Snell) #22245
  • [cee78bf7a2] - http2: avoid race condition in OnHeaderCallback (James M Snell) #22256
  • [fcca2f7e49] - http2: remove streamError from docs (James M Snell) #22246
  • [2bf9a4a09e] - https: allow url and options to be passed to https.request (Sam Ruby) #22003
  • [4c5dc6e012] - inspector: tie objects lifetime to the thread they belong to (Eugene Ostroukhov) #22242
  • [39898695b6] - inspector: add inspector_protocol as a direct dependency (Andrey Lushnikov) #21975
  • [311ec12702] - inspector: fixed V8InspectorClient::currentTimeMS (Aleksey Kozyatinskiy) #21917
  • [8f7e37337f] - lib: remove unused filterInternalStackFrames param (MaleDong) #22267
  • [3f729aac20] - lib: extract validateString validator (Jon Moss) #22101
  • [f570c19c89] - perf_hooks: avoid memory leak on gc observer (James M Snell) #22241
  • [76a65921d3] - readline,zlib: named anonymous functions (Anto Aravinth) #21792
  • [e4f346892c] - repl: support mult-line string-keyed objects (Sam Ruby) #21805
  • [d0b0ea971a] - src: remove unnecessary writes in tls_wrap.cc (Anna Henningsen) #21984
  • [b2ac7a750f] - src: avoid possible race during NodeBIO initialization (Anna Henningsen) #21984
  • [d85b0a3c10] - src: use smart pointers for NodeBIO (Anna Henningsen) #21984
  • [82e71dd8bd] - src: fix integer overflow in GetNow (Anatoli Papirovski) #22214
  • [2737b46e16] - src: add READONLY_STRING_PROPERTY and simplify config (Jon Moss) #22222
  • [8b5485dcf5] - src: fix up doc comment for experimental-worker bool (Anna Henningsen) #22165
  • [e90e56f4ca] - src: remove calls to deprecated v8 functions (NumberValue) (Ujjwal Sharma) #22094
  • [c09872b749] - src: remove unused env->vm_parsing_context_symbol (Jon Moss) #22034
  • [6ca00d7044] - src: remove unused env strings (Jon Moss) #22137
  • [0ca831a0ed] - src: clean up PackageConfig pseudo-boolean fields (Anna Henningsen) #21987
  • [00c33a5131] - src: clean up agent loop when exiting through destructor (Anna Henningsen) #21867
  • [ba480d33ce] - src: use only one tracing write fs req at a time (Anna Henningsen) #21867
  • [6b58746b2e] - src: use unique_ptr for internal JSON trace writer (Anna Henningsen) #21867
  • [ce48936077] - src: plug trace file file descriptor leak (Anna Henningsen) #21867
  • [89e23021fb] - src: initialize file trace writer on tracing thread (Anna Henningsen) #21867
  • [56edd5fc5b] - src: close tracing event loop (Anna Henningsen) #21867
  • [4c9c1bbc45] - src: fix tracing if cwd or file path is inaccessible (Anna Henningsen) #21867
  • [c101b396aa] - src: refactor default trace writer out of agent (Anna Henningsen) #21867
  • [daafe6c195] - src: refactor tracing agent code (Anna Henningsen) #21867
  • [4379140dbf] - src: minor refactor of node_trace_events.cc (Anna Henningsen) #21867
  • [cde0e5f396] - src: reduce unnecessary includes (Anna Henningsen) #21867
  • [31e3e6f1f8] - stream: fix readable behavior for highWaterMark === 0 (Denys Otrishko) #21690
  • [9d89b3c7ec] - test: rename some allegories (Vse Mozhet Byt) #22307
  • [1d15f33277] - test: call gc() explicitly to avoid OOM (Refael Ackermann) #22301
  • [a7dad4565b] - test: move test-http-client-timeout-option-with-agent to sequential (Ouyang Yadong) #22083
  • [a414b0757a] - test: add test-http2-large-file sequential test (James M Snell) #22254
  • [01fe2cee5b] - test: fix error messages for OpenSSL-1.1.0i (Shigeki Ohtsu) #22318
  • [c145690aad] - test: improve test coverage for comparisons (Ruben Bridgewater) #22212
  • [bdc644f2ec] - test: remove common.fileExists() (Rich Trott) #22151
  • [bc1cb7b7fc] - test: handle errors correctly in GC http test (Ouyang Yadong) #22185
  • [cefc4a03cc] - test: remove second arg from assert.ifError() (Musa Hamwala) #22190
  • [b1cbbbc7af] - test: move require of https to after crypto check (Daniel Bevenius) #22148
  • [a6ab19a96a] - test: move require of http2 to after crypto check (Daniel Bevenius) #22148
  • [7a4c7e6c82] - test: don't mask descriptor.enumerable (Thomas Leah) #22172
  • [5018661a85] - test: remove common.fileExists() (Richard Lau) #22200
  • [77ce40fa03] - test: remove unused argument in assertion (yahavfuchs) #22113
  • [6daa4f8797] - test: update postmortem metadata test (cjihrig) #21079
  • [16a929b867] - test: fix scriptParsed event expectations (Ingvar Stepanyan) #21079
  • [e58c17b849] - test: update certificates and private keys (Fedor Indutny) #22184
  • [d38ccaa421] - test: fix n-api addon build warnings (Kyle Farnung) #21808
  • [d66e52fb8e] - test: run ESM tests in parallel (Michaël Zasso) #21919
  • [6cff57e98d] - test: fix incorrect file mode check (Timothy Gu) #22023
  • [dafaff3a5e] - test: remove unused config (Benjamin Gruenbaum) #21985
  • [a569ae4b44] - test: remove third argument from assert.strictEqual() (Rishabh Singh) #22051
  • [a60060b499] - test: remove third argument from call to assert.strictEqual() (Michael Sommer) #22047
  • [246a94f301] - test: see value of "hadError" in tls test (Oryan Moshe) #22069
  • [a40ee213b3] - test: improve reliability in http2-session-timeout (Rich Trott) #22026
  • [e2d97eeb65] - test: remove outdated documentation (Jon Moss) #22009
  • [94746d6a47] - test: remove outdated, non-functioning test (Anatoli Papirovski) #20894
  • [0beffc0f3b] - test: remove test/gc, integrate into parallel (Anna Henningsen) #22001
  • [c2372eac16] - test: add tracing crash regression test (Eugene Ostroukhov) #21867
  • [7e23080d45] - test: pass through stderr in benchmark tests (Anna Henningsen) #21860
  • [52020dc09a] - test: refactor test-http2-compat-serverresponse-finished.js (Anto Aravinth) #21929
  • [88665b3cef] - test,doc: fix async-hooks coverage doc for md lint (Rod Vagg) #22296
  • [d60b017135] - test,doc: adjust markdown table for linting (Rich Trott) #22221
  • [8f56cc0321] - test,doc: adjust async-hooks coverage doc for lint (Rich Trott) #22221
  • [5c41caa1cc] - test,doc: wrap common module md doc at 80 chars (Rich Trott) #22221
  • [21883be05d] - test,doc: fix lint error in test fixtures (Rich Trott) #22221
  • [ec2209dc8b] - tls: change var to const (Eugen Cazacu) #22219
  • [2d1c1853e9] - tls: remove SLAB_BUFFER_SIZE (Anatoli Papirovski) #21199
  • [f989681e34] - tls: preallocate SSL cipher array (Tobias Nießen) #22136
  • [6cd2d1dddc] - tools: fix header escaping regression (Sam Ruby) #22084
  • [80dd0445c6] - tools: add no-misleading-character-class ESLint rule (Vse Mozhet Byt) #22278
  • [bc35f17b7b] - tools: do not autolink section to itself (Vse Mozhet Byt) #22138
  • [950a4a9b91] - tools: update ESLint to 5.3.0 (Rich Trott) #22134
  • [0c67d326dc] - tools: convert addon-verify to remark (Sam Ruby) #21978
  • [c85d00b786] - tools: produce JSON documentation using unified/remark/rehype (Sam Ruby) #21697
  • [f0c871b0c7] - tools: add make format-cpp to run clang-format on C++ diffs (Joyee Cheung) #21997
  • [5a4abbadfe] - tools: update to using dmn 1.0.11 (Rich Trott) #22035
  • [7a7c194f4e] - tools: fix docs and run known_issues by default (Jon Moss) #21910
  • [4995b28a11] - tools,build: apply markdown linting to test dir (Rich Trott) #22221
  • [ad46cca104] - trace_events: add node.promises category, rejection counter (James M Snell) #22124
  • [b171fa2530] - util: improve display of iterators and weak entries (Ruben Bridgewater) #20961
  • [f1c22eaa56] - util,assert: fix boxed primitives bug (Ruben Bridgewater) #22243
  • [677d10cdd1] - worker: fix deadlock when calling terminate from exit handler (Anna Henningsen) #22073
  • [4b0d2de5f4] - zlib: remove unused parameters (MaleDong) #22115