Commits
Peter Korsgaard committed 560b1d374e1
nodejs: security bump to version 8.11.1 Fixes the following security issues: - Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser Host value of localhost or localhost6. - Fix for 'path' module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions. - Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces inside Content-Length header values. Such values now lead to rejected connections in the same way as non-numeric values. While we are at it, also add a hash for the license file. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 7f02604553bc3c8449d6a112818f038e99abbdaf) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>