Node v0.12.16 (Maintenance)

Rod Vagg

This is an important security release. All Node.js users should consult the security release summary at for details on patched vulnerabilities.

Notable changes:

  • buffer: Zero-fill excess bytes in new Buffer objects created with Buffer.concat() while providing a totalLength parameter that exceeds the total length of the original Buffer objects being concatenated. (Сковорода Никита Андреевич)
  • http:
    • CVE-2016-5325 - Properly validate for allowable characters in the reason argument in ServerResponse#writeHead(). Fixes a possible response splitting attack vector. This introduces a new case where throw may occur when configuring HTTP responses, users should already be adopting try/catch here. Originally reported independently by Evan Lucas and Romain Gaucher. (Evan Lucas)
    • Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999. Lack of proper validation may also serve as a potential response splitting attack vector. Backported from v4.x. (Brian White)
  • openssl:
    • Upgrade to 1.0.1u, fixes a number of defects impacting Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded memory growth", high severity), CVE-2016-2183, CVE-2016-6303, CVE-2016-2178 and CVE-2016-6306.
    • Remove support for loading dynamic third-party engine modules. An attacker may be able to hide malicious code to be inserted into Node.js at runtime by masquerading as one of the dynamic engine modules. Originally reported by Ahmed Zaki (Skype). (Ben Noordhuis, Rod Vagg)
  • tls: CVE-2016-7099 - Fix invalid wildcard certificate validation check whereby a TLS server may be able to serve an invalid wildcard certificate for its hostname due to improper validation of *. in the wildcard string. Originally reported by Alexander Minozhenko and James Bunton (Atlassian). (Ben Noordhuis)

Commits:

Windows 32-bit Installer: https://nodejs.org/dist/v0.12.16/node-v0.12.16-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v0.12.16/x64/node-v0.12.16-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v0.12.16/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v0.12.16/x64/node.exe
Mac OS X Universal Installer: https://nodejs.org/dist/v0.12.16/node-v0.12.16.pkg
Mac OS X 64-bit Binary: https://nodejs.org/dist/v0.12.16/node-v0.12.16-darwin-x64.tar.gz
Mac OS X 32-bit Binary: https://nodejs.org/dist/v0.12.16/node-v0.12.16-darwin-x86.tar.gz
Linux 32-bit Binary: https://nodejs.org/dist/v0.12.16/node-v0.12.16-linux-x86.tar.gz
Linux 64-bit Binary: https://nodejs.org/dist/v0.12.16/node-v0.12.16-linux-x64.tar.gz
SmartOS 32-bit Binary: https://nodejs.org/dist/v0.12.16/node-v0.12.16-sunos-x86.tar.gz
SmartOS 64-bit Binary: https://nodejs.org/dist/v0.12.16/node-v0.12.16-sunos-x64.tar.gz
Source Code: https://nodejs.org/dist/v0.12.16/node-v0.12.16.tar.gz
Other release files: https://nodejs.org/dist/v0.12.16/
Documentation: https://nodejs.org/docs/v0.12.16/api/

Shasums (GPG signing hash: SHA512, file hash: SHA256):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

6e1d0df2fbdb9255b1ad7fd5b4aa96590ced9053406b9ae336535dd587ae1631  node.exe
a0b4c351cc2d3624cf07c68fa9fcec08a7aa146c4436daf1325369345f3ae2ef  node.exp
24b3e250cfa8155d2f002af8328760aaa06ddceff745794e86bb3d0e372a244b  node.lib
cc8fbc5549d4b9dfd44a7cc76619cf635712fba8ab153fcbd37d94fcad130184  node.pdb
c602cbced0d6a2fb9d97f25a72833cf564b35fdf742f8627a93b6cdb5132ea95  node-v0.12.16-darwin-x64.tar.gz
5a91d99d8944ec8f88c2c6b9d51ad4159e84c2fcfcb29ddec6ea8516b05233e0  node-v0.12.16-darwin-x64.tar.xz
2cb0b6d33deab16aa261eeadec9c0da40d23e391b626a096f36b75ded62e471f  node-v0.12.16-darwin-x86.tar.gz
d0feea70fc15b658101b3517fe57c0cc9b3dedf4116f349c4be45e4850251964  node-v0.12.16-darwin-x86.tar.xz
cb30a68fc3a03b8bb98d8b17e389537610c7cf663e7dd113868c13c99fcffee6  node-v0.12.16-headers.tar.gz
84a1b0007dbaad41f5dc15ca2b57e365fa1cd82d4b1b9d744ab62dccd920b29e  node-v0.12.16-headers.tar.xz
d9e1cd239844f2a5641e02e48b3c7955e3e73ff3c3d20629c24b561f08ab8219  node-v0.12.16-linux-x64.tar.gz
7905d4c22aab6d65121a35daeada11d217f5d9608d5bde81007ccd908f3f793f  node-v0.12.16-linux-x64.tar.xz
ea95fb22f07469d79fd0347e4f768267be50889fd6de8854bf2f834c346c93a4  node-v0.12.16-linux-x86.tar.gz
12f2f7fddf5796d07851cb3b923290925c6ca1cf77cd26e67f56e9b8f16df5d3  node-v0.12.16-linux-x86.tar.xz
bc9984523ccd944be1cb8de4f4a454b5c1325b9bfae8db8a024a3be60ea5027f  node-v0.12.16.pkg
817671fe6303a1bf2ea47876e2fbbe271ec3ba721b6e688836117a70cc2631c3  node-v0.12.16-sunos-x64.tar.gz
b59b734777b9f2ab8006f85420d3b8e24634f424b0deb3ee85ab71dd74a4a981  node-v0.12.16-sunos-x64.tar.xz
452ade498e7b4d0050cc8c60bb6aa2dcb16562026441ad78063f473435691984  node-v0.12.16-sunos-x86.tar.gz
ea0867a8df11422f72a313643a49a92a6b161706875bd4ab8c0708662f53b8ee  node-v0.12.16-sunos-x86.tar.xz
312c0b74b0815f0514de9bf00667850d4f6ce184126f02f3d8dbf40fd48235eb  node-v0.12.16.tar.gz
4ce3a862eb28be752fbd65fe032c1d55cbbc1145af39292766eea701f67ba5f6  node-v0.12.16.tar.xz
9c66769c2b40c042658e3505432f8cf3c1c700245e93be98a24c482cec5923ea  node-v0.12.16-x86.msi
92111f120281409f0f41d8afb0746cc328c56227f6264ef610673268486d2043  openssl-cli.exe
b44576e0f9ee304102038491deb77c5b2d44a0499d119d23a0da945ff54308f6  openssl-cli.pdb
16e89836b368c67759ddb115ee5ed70449686cd387918c94bc0fa384120d586f  x64/node.exe
8b0fb2ffe3fa2aedf892a338d8783ce3b49a775335af007f41e0a293e692c436  x64/node.exp
7e060f0c42315dd3267ff4ab3907ab537d6b491c52b2353f4482a39146d73864  x64/node.lib
2bcc5665344c8c625d385d293fad2d520e332d06a327cd8bc1d7ede5ddff91f8  x64/node.pdb
4dd5fb2c022dfc46dd53c68bfb2461d4a8d8d6c79351f82db48af08e6193dd18  x64/node-v0.12.16-x64.msi
a5e97c0142cdffd2ce9dfad8652e2ab52a5503f5a91c8cfdcc653836cbd0e053  x64/openssl-cli.exe
d305298bfc3348bd0b01d84a0de9a16c04ae396261663fd44122c58ba9950c3c  x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJX6w2WAAoJEMJzeS99g1RdK88H/iV7CbWaI9/13eez1uKRZZHz
B/gGrcaCY6zihqCX6VT8uK/xhnI+ZRtxkTzwHxMnbYAuTK1V5tf4BJQOOXygm0+U
AsQAlJEZja9vb5D4hA+4wwSct3F39cADdgebpgPpAzdwB/xAkJZDNSrP9qtJs3gC
JjBX+pxepD9UHrfr9Jjka1yntdd+LXIaS4kHbdkolHAfrFGw+iTyjzibnRHndomb
JYC10JB+IGEFletFHylfj2J5znb1F4bHhatkoPDVPjat8KZLvXZCKeCdcLEWmYa5
mSSiw0VDmBcRnxkT648RKw12vULxQOV2ahVxc402Xbc2iMaekXOC0eaW2jfTolE=
=Hxbw
-----END PGP SIGNATURE-----

Last Updated
Sep 28, 2016
Reading Time
3 min read
Contribute
Edit this page
Table of Contents
  1. Notable changes:
  2. Commits: