Node v0.8.17 (Stable)

300 views
Skip to first unread message

Isaac Schlueter

unread,
Jan 9, 2013, 8:20:12 PM1/9/13
to nodejs
This release addresses a potential security vulnerability.

If you do not use TypedArrays, then you're fine (but should still
upgrade for other reasons, like better performance and npm
peerDependencies.)

If you use TypedArrays, you should upgrade to v0.8.17 as soon as
possible. If user input can affect the size parameter in a
TypedArray, an integer overflow vulnerability could allow an attacker
to write to areas of memory outside the intended buffer. Please
upgrade ASAP.


2012.01.09, Version 0.8.17 (Stable)

* npm: Upgrade to v1.2.0
- peerDependencies (Domenic Denicola)
- node-gyp v0.8.2 (Nathan Rajlich)
- Faster installs from github user/project shorthands (Nathan Zadoks)

* typed arrays: fix 32 bit size/index overflow (Ben Noordhuis)

* http: Improve performance of single-packet responses (Ben Noordhuis)

* install: fix openbsd man page location (Ben Noordhuis)

* http: bubble up parser errors to ClientRequest (Brian White)


Source Code: http://nodejs.org/dist/v0.8.17/node-v0.8.17.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.8.17/node-v0.8.17.pkg

Windows Installer: http://nodejs.org/dist/v0.8.17/node-v0.8.17-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.8.17/x64/node-v0.8.17-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.8.17/x64/

Linux 32-bit Binary:
http://nodejs.org/dist/v0.8.17/node-v0.8.17-linux-x86.tar.gz

Linux 64-bit Binary:
http://nodejs.org/dist/v0.8.17/node-v0.8.17-linux-x64.tar.gz

Solaris 32-bit Binary:
http://nodejs.org/dist/v0.8.17/node-v0.8.17-sunos-x86.tar.gz

Solaris 64-bit Binary:
http://nodejs.org/dist/v0.8.17/node-v0.8.17-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.8.17/

Website: http://nodejs.org/docs/v0.8.17/

Documentation: http://nodejs.org/docs/v0.8.17/api/

Shasums:

```
1efb55f154e6079c7f2a8991ed73b5069307576a node-v0.8.17-darwin-x64.tar.gz
d9e3f502b9121b14743fedc7d48ed15cbda3a3da node-v0.8.17-darwin-x86.tar.gz
de5d5d32ef97081b57b652289e097a332e9cc8af node-v0.8.17-linux-x64.tar.gz
44824481dbb3ed278e613f805f597e8d14f68d11 node-v0.8.17-linux-x86.tar.gz
6f3ee5e3a3515f79478c18ad61666bdaf73f8485 node-v0.8.17-sunos-x64.tar.gz
3bcd62169201e8c6223eeef09633998901692da1 node-v0.8.17-sunos-x86.tar.gz
befea571ebdf67fa47ef84826334599feb3ed7a3 node-v0.8.17-x86.msi
65d22e4e183cee8888c797300d8fdbb5c530c740 node-v0.8.17.tar.gz
8bf4e9699d41bcc0fcf822af095c2a944aea3e95 node.exe
2b659a6864682d6613a94a8c187618a3893401bc node.exp
082995b6fc667af51aae11b612390800c8e9636c node.lib
bbbab14038a29fa67dfcabfd27802c39428e8f8e node.pdb
7323002e28da3247646123373dbbe33a95280803 x64/node-v0.9.5-x64.msi
909b7dcf74af66f3fe4633b6a61460dc46c93221 x64/node.exe
1950770534f0e725a6fafac5c94a7fe474925ecc x64/node.exp
caa79b82404b750df4c18e461b770c6c2b51cb62 x64/node.lib
7034390b9aa174f1e39d8d5680af645c581b0b8a x64/node.pdb
```

Ben Noordhuis

unread,
Jan 9, 2013, 8:29:31 PM1/9/13
to nod...@googlegroups.com
Another reason to upgrade is that certain kinds of HTTP responses are
immensely faster now. Quoting the commit log:

http: pack response body buffer in first tcp packet

Apply the same optimization to res.end(buf) that is applied to res.end(str).

Speeds up `node benchmark/http_simple_auto -k -c 1 -n 25000 buffer/1`
(non-chunked response body) by about 750x. That's not a typo.

Chunked responses:

$ cat tmp/http-chunked-client.js
// Run `node benchmark/http_simple` in another terminal.
var http = require('http'), url = require('url');
var options = url.parse('http://127.0.0.1:8000/buffer/1/1');
options.agent = new http.Agent({ maxSockets: 1 });
for (var i = 0; i < 25000; ++i) http.get(options);

Before:

$ time out/Release/node tmp/http-chunked-client.js
real 16m40.411s
user 0m9.184s
sys 0m0.604s

After:

$ time out/Release/node tmp/http-chunked-client.js
real 0m5.386s
user 0m2.768s
sys 0m0.728s

That's still a 185x speed-up.

Isaac Schlueter

unread,
Jan 9, 2013, 10:06:45 PM1/9/13
to Louis Galipeau, nodejs
Fixed the pkg file, and the x64 release apparently got the wrong
version. Updated shasums:

1efb55f154e6079c7f2a8991ed73b5069307576a node-v0.8.17-darwin-x64.tar.gz
d9e3f502b9121b14743fedc7d48ed15cbda3a3da node-v0.8.17-darwin-x86.tar.gz
de5d5d32ef97081b57b652289e097a332e9cc8af node-v0.8.17-linux-x64.tar.gz
44824481dbb3ed278e613f805f597e8d14f68d11 node-v0.8.17-linux-x86.tar.gz
6f3ee5e3a3515f79478c18ad61666bdaf73f8485 node-v0.8.17-sunos-x64.tar.gz
3bcd62169201e8c6223eeef09633998901692da1 node-v0.8.17-sunos-x86.tar.gz
befea571ebdf67fa47ef84826334599feb3ed7a3 node-v0.8.17-x86.msi
71b598cd3a418b8ce78a2158d8ae29a6c7e66be6 node-v0.8.17.pkg
65d22e4e183cee8888c797300d8fdbb5c530c740 node-v0.8.17.tar.gz
8bf4e9699d41bcc0fcf822af095c2a944aea3e95 node.exe
2b659a6864682d6613a94a8c187618a3893401bc node.exp
082995b6fc667af51aae11b612390800c8e9636c node.lib
bbbab14038a29fa67dfcabfd27802c39428e8f8e node.pdb
a220542df0610d848ead007673e19cb24c1e0ac5 x64/node-v0.8.17-x64.msi
636ab1f211624588d3c5073232f30aa5f93eed10 x64/node.exe
8540c7b6cfb62b51b52c72813ca30d42b936e656 x64/node.exp
1e0d70fcf5efa6e4c23c1d8ec768c5a8e6c36874 x64/node.lib
2b13ba57dbdd942b3198b441fea936f8b8154c29 x64/node.pdb


On Wed, Jan 9, 2013 at 6:27 PM, Louis Galipeau <lo...@muloka.com> wrote:
> Thanks for this release.
>
> By the way 404, re:

Arunoda Susiripala

unread,
Jan 9, 2013, 10:41:53 PM1/9/13
to nod...@googlegroups.com, Louis Galipeau
GYP update is a really good one.
Cheers.

--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en



--
Arunoda Susiripala

Jorge Chamorro

unread,
Jan 10, 2013, 7:19:17 AM1/10/13
to nod...@googlegroups.com
On 10/01/2013, at 02:29, Ben Noordhuis wrote:
> On Thu, Jan 10, 2013 at 2:20 AM, Isaac Schlueter <i...@izs.me> wrote:
>> This release addresses a potential security vulnerability.
>>
>> If you do not use TypedArrays, then you're fine (but should still
>> upgrade for other reasons, like better performance and npm
>> peerDependencies.)
>>
>> If you use TypedArrays, you should upgrade to v0.8.17 as soon as
>> possible. If user input can affect the size parameter in a
>> TypedArray, an integer overflow vulnerability could allow an attacker
>> to write to areas of memory outside the intended buffer. Please
>> upgrade ASAP.
>
> Another reason to upgrade is that certain kinds of HTTP responses are
> immensely faster now. Quoting the commit log:
>
> http: pack response body buffer in first tcp packet
>
> Apply the same optimization to res.end(buf) that is applied to res.end(str).
>
> Speeds up `node benchmark/http_simple_auto -k -c 1 -n 25000 buffer/1`
> (non-chunked response body) by about 750x. That's not a typo.
>
> Chunked responses:
>
> $ cat tmp/http-chunked-client.js
> // Run `node benchmark/http_simple` in another terminal.
> var http = require('http'), url = require('url');
> var options = url.parse('http://127.0.0.1:8000/buffer/1/1');
> options.agent = new http.Agent({ maxSockets: 1 });
> for (var i = 0; i < 25000; ++i) http.get(options);
>
> Before:
>
> $ time out/Release/node tmp/http-chunked-client.js
> real 16m40.411s
> user 0m9.184s
> sys 0m0.604s
>
> After:
>
> $ time out/Release/node tmp/http-chunked-client.js
> real 0m5.386s
> user 0m2.768s
> sys 0m0.728s
>
> That's still a 185x speed-up.


That's awesome, well done!

Congratulations,
--
Jorge.

klrumpf

unread,
Jan 13, 2013, 1:52:02 PM1/13/13
to nod...@googlegroups.com
Thanks!!
Karl-L. Rumpf
klr...@gmail.com
Málaga, Spain
Reply all
Reply to author
Forward
0 new messages