Node.js v6.9.0、v4.6.1、v0.12.17 和 v0.10.48 发布了。Node.js 是一套用来编写高性能网络服务器的 JavaScript 工具包 Node.js v6.9.0 LTS "Boron" 值得关注的更新: crypto: Don't automatically attempt to load an OpenSSL configuration file, from the OPENSSL_CONF environment
variable or from the default location for the current platform. Always
triggering a configuration file load attempt may allow an attacker to
load compromised OpenSSL configuration into a Node.js process if they
are able to place a file in a default location. (Fedor Indutny, Rod
Vagg) node: Introduce the process.release.lts property, set to "Boron" . This value is "Argon" for v4 LTS releases and undefined for all other releases. (Rod Vagg) V8:
Backport fix for CVE-2016-5172, an arbitrary memory read. The parser in
V8 mishandled scopes, potentially allowing an attacker to obtain
sensitive information from arbitrary memory locations via crafted
JavaScript code. This vulnerability would require an attacker to be able
to execute arbitrary JavaScript code in a Node.js process. (Rod Vagg) v8_inspector:
Generate a UUID for each execution of the inspector. This provides
additional security to prevent unauthorized clients from connecting to
the Node.js process via the v8_inspector port when running with --inspect .
Since the debugging protocol allows extensive access to the internals
of a running process, and the execution of arbitrary code, it is
important to limit connections to authorized tools only. Vulnerability
originally reported by Jann Horn. (Eugene Ostroukhov)
发行主页和下载地址 Node v4.6.1 (LTS) 值得关注的更新: 发行主页和下载地址 Node v0.10.48 (Maintenance) 值得关注的更新 发行主页和下载地址 Node v0.12.17 (Maintenance) 值得关注的更新 发行主页和下载地址 |