Node v6.9.0、v4.6.1、v0.12.17 和 v0.10.48 发布

发布于 2016-10-19 00:48:57 | 114 次阅读 | 评论: 0 | 来源: 网友投递

Node.js 是一个基于Chrome JavaScript 运行时建立的一个平台，用来方便地搭建快速的易于扩展的网络应用· Node.js 借助事件驱动，非阻塞I/O 模型变得轻量和高效，非常适合运行在分布式设备的数据密集型的实时应用

Node.js v6.9.0、v4.6.1、v0.12.17 和 v0.10.48 发布了。

Node.js v6.9.0 LTS "Boron" 值得关注的更新：

crypto: Don't automatically attempt to load an OpenSSL configuration file, from the OPENSSL_CONF environment variable or from the default location for the current platform. Always triggering a configuration file load attempt may allow an attacker to load compromised OpenSSL configuration into a Node.js process if they are able to place a file in a default location. (Fedor Indutny, Rod Vagg)
node: Introduce the process.release.lts property, set to "Boron". This value is "Argon" for v4 LTS releases and undefined for all other releases. (Rod Vagg)
V8: Backport fix for CVE-2016-5172, an arbitrary memory read. The parser in V8 mishandled scopes, potentially allowing an attacker to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. This vulnerability would require an attacker to be able to execute arbitrary JavaScript code in a Node.js process. (Rod Vagg)
v8_inspector: Generate a UUID for each execution of the inspector. This provides additional security to prevent unauthorized clients from connecting to the Node.js process via the v8_inspector port when running with --inspect. Since the debugging protocol allows extensive access to the internals of a running process, and the execution of arbitrary code, it is important to limit connections to authorized tools only. Vulnerability originally reported by Jann Horn. (Eugene Ostroukhov)