Node.js v6.9.0、v4.6.1、v0.12.17 和 v0.10.48 发布了。Node.js 是一套用来编写高性能网络服务器的 JavaScript 工具包
Node.js v6.9.0 LTS "Boron" 值得关注的更新:
crypto: Don't automatically attempt to load an OpenSSL configuration file, from the
OPENSSL_CONFenvironment variable or from the default location for the current platform. Always triggering a configuration file load attempt may allow an attacker to load compromised OpenSSL configuration into a Node.js process if they are able to place a file in a default location. (Fedor Indutny, Rod Vagg)node: Introduce the
process.release.ltsproperty, set to"Boron". This value is"Argon"for v4 LTS releases andundefinedfor all other releases. (Rod Vagg)V8: Backport fix for CVE-2016-5172, an arbitrary memory read. The parser in V8 mishandled scopes, potentially allowing an attacker to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. This vulnerability would require an attacker to be able to execute arbitrary JavaScript code in a Node.js process. (Rod Vagg)
v8_inspector: Generate a UUID for each execution of the inspector. This provides additional security to prevent unauthorized clients from connecting to the Node.js process via the v8_inspector port when running with
--inspect. Since the debugging protocol allows extensive access to the internals of a running process, and the execution of arbitrary code, it is important to limit connections to authorized tools only. Vulnerability originally reported by Jann Horn. (Eugene Ostroukhov)
Node v4.6.1 (LTS) 值得关注的更新:
c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more information at https://c-ares.haxx.se/adv_20160929.html (Daniel Stenberg)
Node v0.10.48 (Maintenance) 值得关注的更新
c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more information at https://c-ares.haxx.se/adv_20160929.html (Rod Vagg)
Node v0.12.17 (Maintenance) 值得关注的更新
c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more information at https://c-ares.haxx.se/adv_20160929.html (Daniel Stenberg)