Node v0.12.16 (Maintenance)
Rod Vagg
This is an important security release. All Node.js users should consult the security release summary at for details on patched vulnerabilities.
Notable changes:
- buffer: Zero-fill excess bytes in new
Buffer
objects created withBuffer.concat()
while providing atotalLength
parameter that exceeds the total length of the originalBuffer
objects being concatenated. (Сковорода Никита Андреевич) - http:
- CVE-2016-5325 - Properly validate for allowable characters in the
reason
argument inServerResponse#writeHead()
. Fixes a possible response splitting attack vector. This introduces a new case wherethrow
may occur when configuring HTTP responses, users should already be adopting try/catch here. Originally reported independently by Evan Lucas and Romain Gaucher. (Evan Lucas) - Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999. Lack of proper validation may also serve as a potential response splitting attack vector. Backported from v4.x. (Brian White)
- CVE-2016-5325 - Properly validate for allowable characters in the
- openssl:
- Upgrade to 1.0.1u, fixes a number of defects impacting Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded memory growth", high severity), CVE-2016-2183, CVE-2016-6303, CVE-2016-2178 and CVE-2016-6306.
- Remove support for loading dynamic third-party engine modules. An attacker may be able to hide malicious code to be inserted into Node.js at runtime by masquerading as one of the dynamic engine modules. Originally reported by Ahmed Zaki (Skype). (Ben Noordhuis, Rod Vagg)
- tls: CVE-2016-7099 - Fix invalid wildcard certificate validation check whereby a TLS server may be able to serve an invalid wildcard certificate for its hostname due to improper validation of
*.
in the wildcard string. Originally reported by Alexander Minozhenko and James Bunton (Atlassian). (Ben Noordhuis)
Commits:
- [38d7258d89] - buffer: zero-fill uninitialized bytes in .concat() (Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/66
- [1ba6d16786] - build: turn on -fno-delete-null-pointer-checks (Ben Noordhuis) https://github.com/nodejs/node/pull/6737
- [71e4285e27] - crypto: don't build hardware engines (Rod Vagg) https://github.com/nodejs/node-private/pull/69
- [b6e0105a66] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25368
- [1caec97eab] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) https://github.com/nodejs/node-v0.x-archive/pull/25654
- [734bc6938b] - deps: separate sha256/sha512-x86_64.pl for openssl (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25654
- [7cc6d4eb5c] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) https://github.com/nodejs/node/pull/8718
- [4a9da21217] - deps: upgrade openssl sources to 1.0.1u (Shigeki Ohtsu) https://github.com/nodejs/node/pull/8718
- [6d977902bd] - http: check reason chars in writeHead (Evan Lucas) https://github.com/nodejs/node-private/pull/47
- [ad470e496b] - http: disallow sending obviously invalid status codes (Evan Lucas) https://github.com/nodejs/node-private/pull/47
- [9dbde2fc88] - lib: make tls.checkServerIdentity() more strict (Ben Noordhuis) https://github.com/nodejs/node-private/pull/61
- [db80592071] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25654
Windows 32-bit Installer: https://nodejs.org/dist/v0.12.16/node-v0.12.16-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v0.12.16/x64/node-v0.12.16-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v0.12.16/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v0.12.16/x64/node.exe
Mac OS X Universal Installer: https://nodejs.org/dist/v0.12.16/node-v0.12.16.pkg
Mac OS X 64-bit Binary: https://nodejs.org/dist/v0.12.16/node-v0.12.16-darwin-x64.tar.gz
Mac OS X 32-bit Binary: https://nodejs.org/dist/v0.12.16/node-v0.12.16-darwin-x86.tar.gz
Linux 32-bit Binary: https://nodejs.org/dist/v0.12.16/node-v0.12.16-linux-x86.tar.gz
Linux 64-bit Binary: https://nodejs.org/dist/v0.12.16/node-v0.12.16-linux-x64.tar.gz
SmartOS 32-bit Binary: https://nodejs.org/dist/v0.12.16/node-v0.12.16-sunos-x86.tar.gz
SmartOS 64-bit Binary: https://nodejs.org/dist/v0.12.16/node-v0.12.16-sunos-x64.tar.gz
Source Code: https://nodejs.org/dist/v0.12.16/node-v0.12.16.tar.gz
Other release files: https://nodejs.org/dist/v0.12.16/
Documentation: https://nodejs.org/docs/v0.12.16/api/
Shasums (GPG signing hash: SHA512, file hash: SHA256):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
6e1d0df2fbdb9255b1ad7fd5b4aa96590ced9053406b9ae336535dd587ae1631 node.exe
a0b4c351cc2d3624cf07c68fa9fcec08a7aa146c4436daf1325369345f3ae2ef node.exp
24b3e250cfa8155d2f002af8328760aaa06ddceff745794e86bb3d0e372a244b node.lib
cc8fbc5549d4b9dfd44a7cc76619cf635712fba8ab153fcbd37d94fcad130184 node.pdb
c602cbced0d6a2fb9d97f25a72833cf564b35fdf742f8627a93b6cdb5132ea95 node-v0.12.16-darwin-x64.tar.gz
5a91d99d8944ec8f88c2c6b9d51ad4159e84c2fcfcb29ddec6ea8516b05233e0 node-v0.12.16-darwin-x64.tar.xz
2cb0b6d33deab16aa261eeadec9c0da40d23e391b626a096f36b75ded62e471f node-v0.12.16-darwin-x86.tar.gz
d0feea70fc15b658101b3517fe57c0cc9b3dedf4116f349c4be45e4850251964 node-v0.12.16-darwin-x86.tar.xz
cb30a68fc3a03b8bb98d8b17e389537610c7cf663e7dd113868c13c99fcffee6 node-v0.12.16-headers.tar.gz
84a1b0007dbaad41f5dc15ca2b57e365fa1cd82d4b1b9d744ab62dccd920b29e node-v0.12.16-headers.tar.xz
d9e1cd239844f2a5641e02e48b3c7955e3e73ff3c3d20629c24b561f08ab8219 node-v0.12.16-linux-x64.tar.gz
7905d4c22aab6d65121a35daeada11d217f5d9608d5bde81007ccd908f3f793f node-v0.12.16-linux-x64.tar.xz
ea95fb22f07469d79fd0347e4f768267be50889fd6de8854bf2f834c346c93a4 node-v0.12.16-linux-x86.tar.gz
12f2f7fddf5796d07851cb3b923290925c6ca1cf77cd26e67f56e9b8f16df5d3 node-v0.12.16-linux-x86.tar.xz
bc9984523ccd944be1cb8de4f4a454b5c1325b9bfae8db8a024a3be60ea5027f node-v0.12.16.pkg
817671fe6303a1bf2ea47876e2fbbe271ec3ba721b6e688836117a70cc2631c3 node-v0.12.16-sunos-x64.tar.gz
b59b734777b9f2ab8006f85420d3b8e24634f424b0deb3ee85ab71dd74a4a981 node-v0.12.16-sunos-x64.tar.xz
452ade498e7b4d0050cc8c60bb6aa2dcb16562026441ad78063f473435691984 node-v0.12.16-sunos-x86.tar.gz
ea0867a8df11422f72a313643a49a92a6b161706875bd4ab8c0708662f53b8ee node-v0.12.16-sunos-x86.tar.xz
312c0b74b0815f0514de9bf00667850d4f6ce184126f02f3d8dbf40fd48235eb node-v0.12.16.tar.gz
4ce3a862eb28be752fbd65fe032c1d55cbbc1145af39292766eea701f67ba5f6 node-v0.12.16.tar.xz
9c66769c2b40c042658e3505432f8cf3c1c700245e93be98a24c482cec5923ea node-v0.12.16-x86.msi
92111f120281409f0f41d8afb0746cc328c56227f6264ef610673268486d2043 openssl-cli.exe
b44576e0f9ee304102038491deb77c5b2d44a0499d119d23a0da945ff54308f6 openssl-cli.pdb
16e89836b368c67759ddb115ee5ed70449686cd387918c94bc0fa384120d586f x64/node.exe
8b0fb2ffe3fa2aedf892a338d8783ce3b49a775335af007f41e0a293e692c436 x64/node.exp
7e060f0c42315dd3267ff4ab3907ab537d6b491c52b2353f4482a39146d73864 x64/node.lib
2bcc5665344c8c625d385d293fad2d520e332d06a327cd8bc1d7ede5ddff91f8 x64/node.pdb
4dd5fb2c022dfc46dd53c68bfb2461d4a8d8d6c79351f82db48af08e6193dd18 x64/node-v0.12.16-x64.msi
a5e97c0142cdffd2ce9dfad8652e2ab52a5503f5a91c8cfdcc653836cbd0e053 x64/openssl-cli.exe
d305298bfc3348bd0b01d84a0de9a16c04ae396261663fd44122c58ba9950c3c x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----
iQEcBAEBAgAGBQJX6w2WAAoJEMJzeS99g1RdK88H/iV7CbWaI9/13eez1uKRZZHz
B/gGrcaCY6zihqCX6VT8uK/xhnI+ZRtxkTzwHxMnbYAuTK1V5tf4BJQOOXygm0+U
AsQAlJEZja9vb5D4hA+4wwSct3F39cADdgebpgPpAzdwB/xAkJZDNSrP9qtJs3gC
JjBX+pxepD9UHrfr9Jjka1yntdd+LXIaS4kHbdkolHAfrFGw+iTyjzibnRHndomb
JYC10JB+IGEFletFHylfj2J5znb1F4bHhatkoPDVPjat8KZLvXZCKeCdcLEWmYa5
mSSiw0VDmBcRnxkT648RKw12vULxQOV2ahVxc402Xbc2iMaekXOC0eaW2jfTolE=
=Hxbw
-----END PGP SIGNATURE-----