前幾天「Node.js 預定在十月 24 號發表安全性更新」提到 Node.js 會發表安全性更新,已經看到 4/6/8 都出新版了:「Node v4.8.5 (Maintenance)」、「Node v6.11.5 (LTS)」、「Node v8.8.0 (Current)」。
這次安全更新的 CVE 是 CVE-2017-14919:
CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialized with windowBits set to 8. On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. Node.js will now gracefully set windowBits to 9 replicating the legacy behavior to avoid a DOS vector. nodejs-private/node-private#95
zlib 的 manual 對 windowBits 說明:
For the current implementation of
deflate(), awindowBitsvalue of 8 (a window size of 256 bytes) is not supported. As a result, a request for 8 will result in 9 (a 512-byte window). In that case, providing 8 toinflateInit2()will result in an error when the zlib header with 9 is checked against the initialization ofinflate(). The remedy is to not use 8 withdeflateInit2()with this initialization, or at least in that case use 9 withinflateInit2().
唔?XD
另外文章可以看出來 Node.js 團隊是選擇在 GitHub 上用另外一個 organization 在管這類不會事前公開的事情...