2018-11-27, Version 8.14.0 'Carbon' (LTS), @rvagg

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

• Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
• Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
• Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
• Node.js: HTTP request splitting (CVE-2018-12116)
• OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
• OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)

Notable Changes

• deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
• http:
  • Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
  • A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina)
  • Two-byte characters are now strictly disallowed for the path option in HTTP client requests. Paths containing characters outside of the range \u0021 - \u00ff will now be rejected with a TypeError. This behavior can be reverted if necessary by supplying the --security-revert=CVE-2018-12116 command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by Arkadiy Tetelman (Lob), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina)
• url: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol. Reported by Martin Bajanik (Kentico). (CVE-2018-12123 / Matteo Collina)

Commits

• [add20f373c] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/node#1836
• [c4e382cce3] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) nodejs/node#1389
• [f1d1f12519] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) nodejs/node#1389
• [69037ad5c4] - deps: copy all openssl header files to include dir (Sam Roberts) #24530
• [f5b34336bb] - deps: upgrade openssl sources to 1.0.2q (Sam Roberts) #24530
• [93dba83fb0] - deps,http: http_parser set max header size to 8KB (Matteo Collina) nodejs-private/node-private#143
• [576038fb61] - (SEMVER-MINOR) http: add --security-revert for CVE-2018-12116 (Matteo Collina) nodejs-private/node-private#146
• [513e9747a2] - (SEMVER-MINOR) http: disallow two-byte characters in URL path (Benno Fünfstück) nodejs-private/node-private#146
• [696f063c5e] - (SEMVER-MINOR) http,https: protect against slow headers attack (Matteo Collina) nodejs-private/node-private#151
• [7f362a11ee] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) nodejs/node#1389
• [53a6e4eb20] - url: avoid hostname spoofing w/ javascript protocol (Matteo Collina) nodejs-private/node-private#145