2020-02-06, Version 10.19.0 'Dubnium' (LTS), @BethGriggs
Notable changes
This is a security release.
Vulnerabilities fixed:
- CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
- CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
- CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
--insecure-http-parser command line flag, or the insecureHTTPParser
http option. Using the insecure HTTP parser should be avoided.
Commits
- [
f940bee3b7] - crypto: fix assertion caused by unsupported ext (Fedor Indutny) nodejs-private/node-private#175 - [
49f4220ce5] - deps: upgrade http-parser to v2.9.3 (Sam Roberts) nodejs-private/http-parser-private#4 - [
a28e5cc1ed] - (SEMVER-MINOR) deps: upgrade http-parser to v2.9.1 (Sam Roberts) #30471 - [
0082f62d9c] - (SEMVER-MINOR) http: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) #31448 - [
a9849c0ff6] - (SEMVER-MINOR) http: opt-in insecure HTTP header parsing (Sam Roberts) #30567 - [
2eee90e959] - http: strip trailing OWS from header values (Sam Roberts) nodejs-private/node-private#191 - [
e2c8f89b75] - test: using TE to smuggle reqs is not possible (Sam Roberts) nodejs-private/node-private#192 - [
d616722f65] - test: check that --insecure-http-parser works (Sam Roberts) #31253