These are flagged by Markdownlint MD001 rule.
PR-URL: https://github.com/nodejs/node/pull/29331
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Notable changes:
* crypto:
* Added an oaepHash option to asymmetric encryption which allows
users to specify a hash function when using OAEP padding.
https://github.com/nodejs/node/pull/28335
* deps:
* Updated V8 to 7.6.303.29. https://github.com/nodejs/node/pull/28955
* Improves the performance of various APIs such as `JSON.parse` and
methods called on frozen arrays.
* Adds the Promise.allSettled method.
* Improves support of `BigInt` in `Intl` methods.
* For more information: https://v8.dev/blog/v8-release-76
* Updated libuv to 1.31.0. https://github.com/nodejs/node/pull/29070
* `UV_FS_O_FILEMAP` has been added for faster access to memory
mapped files on Windows.
* `uv_fs_mkdir()` now returns `UV_EINVAL` for invalid filenames on
Windows. It previously returned `UV_ENOENT`.
* The `uv_fs_statfs()` API has been added.
* The `uv_os_environ()` and `uv_os_free_environ()` APIs have been
added.
* fs:
* Added `fs.writev`, `fs.writevSync` and `filehandle.writev` (promise
version) methods. They allow to write an array of `ArrayBufferView`s
to a file descriptor. https://github.com/nodejs/node/pull/25925https://github.com/nodejs/node/pull/29186
* http:
* Added three properties to `OutgoingMessage.prototype`:
`writableObjectMode`, `writableLength` and `writableHighWaterMark`
https://github.com/nodejs/node/pull/29018
* stream:
* Added an new property `readableEnded` to readable streams. Its value
is set to `true` when the `'end'` event is emitted.
https://github.com/nodejs/node/pull/28814
* Added an new property `writableEnded` to writable streams. Its value
is set to `true` after `writable.end()` has been called.
https://github.com/nodejs/node/pull/28934
PR-URL: https://github.com/nodejs/node/pull/29210
This is a security release.
Notable changes:
Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data
in 1-byte chunks. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both, potentially leading to a
denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of
service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume
excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer
queues the RST_STREAM frames, this can consume excess memory, CPU,or
both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave
the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a
large response object. Depending on how the servers queue the
responses, this can consume excess memory, CPU, or both, potentially
leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
peer spends time processing each frame disproportionate to attack
bandwidth. This can consume excess CPU, potentially leading to a
denial of service. (Discovered by Piotr Sikora of Google)
PR-URL: https://github.com/nodejs/node/pull/29152
This is a security release.
Notable changes:
Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data
in 1-byte chunks. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both, potentially leading to a
denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of
service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume
excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer
queues the RST_STREAM frames, this can consume excess memory, CPU,or
both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave
the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a
large response object. Depending on how the servers queue the
responses, this can consume excess memory, CPU, or both, potentially
leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
peer spends time processing each frame disproportionate to attack
bandwidth. This can consume excess CPU, potentially leading to a
denial of service. (Discovered by Piotr Sikora of Google)
PR-URL: https://github.com/nodejs/node/pull/29148
This is a security release.
Notable changes:
Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data
in 1-byte chunks. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both, potentially leading to a
denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of
service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume
excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer
queues the RST_STREAM frames, this can consume excess memory, CPU,or
both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave
the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a
large response object. Depending on how the servers queue the
responses, this can consume excess memory, CPU, or both, potentially
leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
peer spends time processing each frame disproportionate to attack
bandwidth. This can consume excess CPU, potentially leading to a
denial of service. (Discovered by Piotr Sikora of Google)
PR-URL: https://github.com/nodejs/node/pull/29133
Notable changes:
* doc:
* The JSON variant of the API documentation is no longer experimental
(Rich Trott) https://github.com/nodejs/node/pull/27842.
* esm:
* JSON module support is always enabled under
`--experimental-modules`. The `--experimental-json-modules` flag
has been removed (Myles Borins)
https://github.com/nodejs/node/pull/27752.
* http,http2:
* A new flag has been added for overriding the default HTTP server
socket timeout (which is two minutes). Pass
`--http-server-default-timeout=milliseconds`
or `--http-server-default-timeout=0` to respectively change or
disable the timeout. Starting with Node.js 13.0.0, the timeout will
be disabled by default
(Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/27704.
* inspector:
* Added an experimental `--heap-prof` flag to start the V8 heap
profiler on startup and write the heap profile to disk before exit
(Joyee Cheung) https://github.com/nodejs/node/pull/27596.
* stream:
* The `readable.unshift()` method now correctly converts strings to
buffers. Additionally, a new optional argument is accepted to
specify the string's encoding, such as `'utf8'` or `'ascii'`
(Marcos Casagrande) https://github.com/nodejs/node/pull/27194.
* v8:
* The object returned by `v8.getHeapStatistics()` has two new
properties: `number_of_native_contexts` and
`number_of_detached_contexts` (Yuriy Vasiyarov)
https://github.com/nodejs/node/pull/27933.
PR-URL: https://github.com/nodejs/node/pull/28040
Notable changes:
* deps:
* Updated llhttp to 1.1.3. This fixes a bug that made Node.js' HTTP
parser refuse any request URL that contained the "|" (vertical bar)
character. https://github.com/nodejs/node/pull/27595
* tls:
* Added an `enableTrace()` method to `TLSSocket` and an `enableTrace`
option to `tls.createServer()`. When enabled, TSL packet trace
information is written to `stderr`. This can be used to debug TLS
connection problems. https://github.com/nodejs/node/pull/27497https://github.com/nodejs/node/pull/27376
* cli:
* Added a `--trace-tls` command-line flag that enables tracing of TLS
connections without the need to modify existing application code.
https://github.com/nodejs/node/pull/27497
* Added a `--cpu-prof-interval` command-line flag. It can be used to
specify the sampling interval for the CPU profiles generated by
`--cpu-prof`. https://github.com/nodejs/node/pull/27535
* module:
* Added the `createRequire()` method. It allows to create a require
function from a file URL object, a file URL string or an absolute
path string. The existing `createRequireFromPath()` method is now
deprecated https://github.com/nodejs/node/pull/27405.
* Throw on `require('./path.mjs')`. This is technically a breaking
change that should have landed with Node.js 12.0.0. It is necessary
to have this to keep the possibility for a future minor version to
load ES Modules with the require function.
https://github.com/nodejs/node/pull/27417
* repl:
* The REPL now supports multi-line statements using `BigInt` literals
as well as public and private class fields and methods.
https://github.com/nodejs/node/pull/27400
* The REPL now supports tab autocompletion of file paths with `fs`
methods. https://github.com/nodejs/node/pull/26648
* meta:
* Added Christian Clauss (https://github.com/cclauss) to
collaborators. https://github.com/nodejs/node/pull/27554
PR-URL: https://github.com/nodejs/node/pull/27578
PR-URL: https://github.com/nodejs/node/pull/26931
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with keep-alive HTTP connections
(CVE-2019-5739)
* Node.js: Slowloris HTTP Denial of Service with keep-alive
(CVE-2019-5737)
* OpenSSL: 0-byte record padding oracle (CVE-2019-1559)
Notable Changes:
* deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
certain circumstances, a TLS server can be forced to respond differently to
a client if a zero-byte record is received with an invalid padding
compared to a zero-byte record with an invalid MAC. This can be used as the
basis of a padding oracle attack to decrypt data.
* http:
- Backport `server.keepAliveTimeout` to prevent keep-alive HTTP and HTTPS
connections remaining open and inactive for an extended period of time,
leading to a potential Denial of Service (DoS).
(CVE-2019-5739 / Timur Shemsedinov, Matteo Collina)
- Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set by
`server.headersTimeout` to connections in keep-alive mode. Reported by
Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/169
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Slowloris HTTP Denial of Service with keep-alive
(CVE-2019-5737)
* OpenSSL: 0-byte record padding oracle (CVE-2019-1559)
Notable Changes:
* deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
certain circumstances, a TLS server can be forced to respond differently to
a client if a zero-byte record is received with an invalid padding
compared to a zero-byte record with an invalid MAC. This can be used as the
basis of a padding oracle attack to decrypt data.
* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set by
`server.headersTimeout` to connections in keep-alive mode. Reported by
Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/165
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
A fix for the following CVE is included in this release:
* Node.js: Slowloris HTTP Denial of Service with keep-alive
(CVE-2019-5737)
Notable Changes:
* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set by
`server.headersTimeout` to connections in keep-alive mode. Reported by
Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/164
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
A fix for the following CVE is included in this release:
* Node.js: Slowloris HTTP Denial of Service with keep-alive
(CVE-2019-5737)
Notable Changes:
* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set by
`server.headersTimeout` to connections in keep-alive mode. Reported by
Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/163
The 10.14.0 security release introduced some unexpected breakages on
the 10.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.
Notable Changes:
* cli:
- add --max-http-header-size flag (cjihrig)
https://github.com/nodejs/node/pull/24811
* http:
- add maxHeaderSize property (cjihrig)
https://github.com/nodejs/node/pull/24860
PR-URL: https://github.com/nodejs/node/pull/25176
The 8.14.0 security release introduced some unexpected breakages on
the 8.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.
Notable changes:
* cli:
- add --max-http-header-size flag (cjihrig)
https://github.com/nodejs/node/pull/24811
* http:
- add maxHeaderSize property (cjihrig)
https://github.com/nodejs/node/pull/24860
PR-URL: https://github.com/nodejs/node/pull/25177
The 6.15.0 security release introduced some unexpected breakages on
the 6.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.
Notable changes:
* cli:
- add --max-http-header-size flag (cjihrig)
https://github.com/nodejs/node/pull/24811
* http:
- add maxHeaderSize property (cjihrig)
https://github.com/nodejs/node/pull/24860
PR-URL: https://github.com/nodejs/node/pull/25178
