Skip to content

Commit 068cede

Browse files
MylesBorinsMylesBorins
committed
2017-10-24, Version 4.8.5 'Argon' (Maintenance)
This is a security release. All Node.js users should consult the security release summary at: https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ for details on patched vulnerabilities. Notable Changes: * zlib: - CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialized with windowBits set to 8. On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. Node.js will now gracefully set windowBits to 9 replicating the legacy behavior to avoid a DOS vector. https://github.com/nodejs-private/node-private/pull/95 PR-URL: https://github.com/nodejs-private/node-private/pull/96
1 parent 274fa6e commit 068cede

File tree

2 files changed

+17
-1
lines changed

2 files changed

+17
-1
lines changed

CHANGELOG.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,8 @@ release.
9393
<a href="doc/changelogs/CHANGELOG_V6.md#6.0.0">6.0.0</a><br/>
9494
</td>
9595
<td valign="top">
96-
<b><a href="doc/changelogs/CHANGELOG_V4.md#4.8.4">4.8.4</a></b><br/>
96+
<b><a href="doc/changelogs/CHANGELOG_V4.md#4.8.5">4.8.5</a></b><br/>
97+
<a href="doc/changelogs/CHANGELOG_V4.md#4.8.4">4.8.4</a><br/>
9798
<a href="doc/changelogs/CHANGELOG_V4.md#4.8.3">4.8.3</a><br/>
9899
<a href="doc/changelogs/CHANGELOG_V4.md#4.8.2">4.8.2</a><br/>
99100
<a href="doc/changelogs/CHANGELOG_V4.md#4.8.1">4.8.1</a><br/>

doc/changelogs/CHANGELOG_V4.md

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77
</tr>
88
<tr>
99
<td valign="top">
10+
<a href="#4.8.5">4.8.5</a><br/>
1011
<a href="#4.8.4">4.8.4</a><br/>
1112
<a href="#4.8.3">4.8.3</a><br/>
1213
<a href="#4.8.2">4.8.2</a><br/>
@@ -63,6 +64,20 @@
6364
[Node.js Long Term Support Plan](https://github.com/nodejs/LTS) and
6465
will be supported actively until April 2017 and maintained until April 2018.
6566

67+
<a id="4.8.5"></a>
68+
## 2017-10-24, Version 4.8.5 'Argon' (Maintenance), @MylesBorins
69+
70+
This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ for details on patched vulnerabilities.
71+
72+
### Notable Changes
73+
74+
* **zlib**:
75+
- CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialized with windowBits set to 8. On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. Node.js will now gracefully set windowBits to 9 replicating the legacy behavior to avoid a DOS vector. [nodejs-private/node-private#95](https://github.com/nodejs-private/node-private/pull/95)
76+
77+
### Commits
78+
79+
* [[`f5defa2a7c`](https://github.com/nodejs/node/commit/733578bb2e)] - **zlib**: gracefully set windowBits from 8 to 9 (Myles Borins) [nodejs-private/node-private#95](https://github.com/nodejs-private/node-private/pull/95)
80+
6681
<a id="4.8.4"></a>
6782
## 2017-07-11, Version 4.8.4 'Argon' (Maintenance), @MylesBorins
6883

0 commit comments

Comments
 (0)