Closed
Description
This is a security release. All Node.js users should consult the security release summary at:
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
- CVE-2018-0732 (OpenSSL)
- CVE-2018-12115 (Node.js)
Notable Changes
-
buffer: Fix out-of-bounds (OOB) write in
Buffer.write()for UCS-2 encoding (CVE-2018-12115) -
deps: Upgrade to OpenSSL 1.0.2p, fixing:
- Client DoS due to large DH parameter (CVE-2018-0732)
- ECDSA key extraction via local side-channel (CVE not assigned)
Commits
- [
fc14d812b7] - buffer: avoid overrun on UCS-2 string write (Rod Vagg) nodejs-private/node-private#138 - [
8f59838ae7] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) #1836 - [
97607f8622] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) #1389 - [
46e4917d98] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) #1389 - [
1b93677a81] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #22320 - [
ebf399473b] - deps: upgrade openssl sources to 1.0.2p (Shigeki Ohtsu) #22320 - [
131c5ed438] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) #1389 - [
3139897ff5] - test: fix error messages for OpenSSL-1.0.2p (Shigeki Ohtsu) #22320 - [
0c047c4d9a] - test: update certificates and private keys (Fedor Indutny) #22184 - [
7c6d0f604b] - test: update keys/Makefile to clean and build all (Daniel Bevenius) #19975
Metadata
Metadata
Assignees
Labels
No labels