mirrors/nodejs
mirrors/nodejs
0
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-11-29 23:16:30 +01:00
Code Issues Releases Activity
0e6750d1cd
nodejs/doc/changelogs
History
Rod Vagg 0e6750d1cd 2016-10-18 Node.js v6.9.0 'Boron' (LTS) Release 
This release marks the transition of Node.js v6 into Long Term Support
(LTS) with the codename 'Boron'. The v6 release line now moves in to
"Active LTS" and will remain so until April 2018. After that time it
will move in to "Maintenance" until end of life in April 2019.

This is also a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
for details on patched vulnerabilities.

Notable changes:

* crypto: Don't automatically attempt to load an OpenSSL configuration
  file, from the `OPENSSL_CONF` environment variable or from the
  default location for the current platform. Always triggering a
  configuration file load attempt may allow an attacker to load
  compromised OpenSSL configuration into a Node.js process if they are
  able to place a file in a default location. (Fedor Indutny, Rod Vagg)
* node: Introduce the `process.release.lts` property, set to `"Boron"`.
  This value is `"Argon"` for v4 LTS releases and `undefined` for all
  other releases. (Rod Vagg)
* V8: Backport fix for CVE-2016-5172, an arbitrary memory read.
  The parser in V8 mishandled scopes, potentially allowing an attacker
  to obtain sensitive information from arbitrary memory locations via
  crafted JavaScript code. This vulnerability would require an
  attacker to be able to execute arbitrary JavaScript code in a
  Node.js process. (Rod Vagg)
* **v8_inspector**: Generate a UUID for each execution of the
  inspector. This provides additional security to prevent unauthorized
  clients from connecting to the Node.js process via the v8_inspector
  port when running with `--inspect`. Since the debugging protocol
  allows extensive access to the internals of a running process, and
  the execution of arbitrary code, it is important to limit
  connections to authorized tools only. Vulnerability originally
  reported by Jann Horn. (Eugene Ostroukhov)

PR-URL: https://github.com/nodejs/node-private/pull/81
2016-10-19 04:22:07 +11:00
..
CHANGELOG_ARCHIVE.md doc: fix broken links in changelogs 2016-10-11 16:41:45 -05:00
CHANGELOG_IOJS.md doc: fix broken links in changelogs 2016-10-11 16:41:45 -05:00
CHANGELOG_V4.md 2016-10-18, Version 4.6.1 'Argon' (LTS) 2016-10-19 04:01:02 +11:00
CHANGELOG_V5.md doc: fix broken links in changelogs 2016-10-11 16:41:45 -05:00
CHANGELOG_V6.md 2016-10-18 Node.js v6.9.0 'Boron' (LTS) Release 2016-10-19 04:22:07 +11:00
CHANGELOG_V010.md 2016-10-18 Version 0.10.48 (Maintenance) Release 2016-10-19 04:00:57 +11:00
CHANGELOG_V012.md 2016-10-18 Version 0.12.17 (Maintenance) Release 2016-10-19 04:00:49 +11:00