Node.js 8.11.3和10.4.1发布，JavaScript运行时

Node.js 8.11.3 和 10.4.1 发布了，更新内容如下：

8.11.3

Notable Changes

• buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang

• http2

• (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup

• (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0

Commits

• [e1ff7c3cbc] - deps: update to nghttp2 1.32.0 (James M Snell) nodejs-private/node-private#125

• [c5a2748d8f] - doc: buffer.fill() can zero-fill on invalid input (Сковорода Никита Андреевич) nodejs-private/node-private#119

• [354f2d97ff] - http2: fixup http2stream cleanup and other nits (James M Snell) nodejs-private/node-private#123

• [25c5111ca4] - src: avoid hanging on Buffer#fill 0-length input (Сковорода Никита Андреевич) nodejs-private/node-private#119

• [10c5adf19b] - test: add Realloc() shrink after reading stream data test (Anna Henningsen) nodejs-private/node-private#132

• [bc91220ca2] - test: add tls write error regression test (Shigeki Ohtsu) nodejs-private/node-private#131

• [acd11b01c4] - test: add regression test for nghttp2 CVE-2018-1000168 (James M Snell) nodejs-private/node-private#125

下载地址：

•  Source code (zip)

•  Source code (tar.gz)

10.4.1

Notable Changes

• Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.

• http2

• (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup

• (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0

• tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving

• n-api: Prevent use-after-free in napi_delete_async_work

Commits

• [1bbfe9a72b] - build: fix configure script for double-digits (Misty De Meo) #21183

• [4c90ee8fc6] - deps: update to nghttp2 1.32.0 (James M Snell) nodejs-private/node-private#117

• [e5c2f575b1] - deps: patch V8 to 6.7.288.45 (Michaël Zasso) #21192

• [03ded94ffe] - deps: patch V8 to 6.7.288.44 (Michaël Zasso) #21146

• [4de7e0c96c] - deps,npm: float node-gyp patch on npm (Rich Trott) #21239

• [92d7b6c9a0] - fs: fix promises reads with pos > 4GB (cjihrig) #21148

• [8681402228] - http2: fixup http2stream cleanup and other nits (James M Snell) nodejs-private/node-private#115

• [53f8563353] - n-api: back up env before async work finalize (Gabriel Schulhof) #21129

• [9ba8ed1371] - src: re-add Realloc() shrink after reading stream data (Anna Henningsen) nodejs-private/node-private#128

• [8e979482fa] - Revert "src: restore stdio on program exit" (Evan Lucas) #21257

• [cb5ec64956] - src: reset TTY mode before cleaning up resources (Anna Henningsen) #21257

• [ae5567eaea] - test: add regression test for nghttp2 CVE-2018-1000168 (James M Snell) nodejs-private/node-private#117

• [e87bf625dd] - test: add tls write error regression test (Shigeki Ohtsu) nodejs-private/node-private#127

• [eea2bce58d] - tls: fix SSL write error handling (Anna Henningsen) nodejs-private/node-private#127

• [1e49eadd68] - tools,gyp: fix regex for version matching (Rich Trott) #21216

下载地址：

•  Source code (zip)

•  Source code (tar.gz)

发布公告