Log Message:
nodejs8: updated to 8.16.2

Version 8.16.2 'Carbon' (LTS):

Notable changes
deps: upgrade openssl sources to 1.0.2s

Version 8.16.1 'Carbon' (LTS):

Notable changes
This is a security release.

Node.js, as well as many other implementations of HTTP/2, have been found
vulnerable to Denial of Service attacks.
See \ 
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data \ 
from a specified resource over multiple streams. They manipulate window size and \ 
stream priority to force the server to queue the data in 1-byte chunks. \ 
Depending on how efficiently this data is queued, this can consume excess CPU, \ 
memory, or both, potentially leading to a denial of service.
CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 \ 
peer, causing the peer to build an internal queue of responses. Depending on how \ 
efficiently this data is queued, this can consume excess CPU, memory, or both, \ 
potentially leading to a denial of service.
CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams \ 
and continually shuffles the priority of the streams in a way that causes \ 
substantial churn to the priority tree. This can consume excess CPU, potentially \ 
leading to a denial of service.
CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and \ 
sends an invalid request over each stream that should solicit a stream of \ 
RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM \ 
frames, this can consume excess memory, CPU, or both, potentially leading to a \ 
denial of service.
CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS \ 
frames to the peer. Since the RFC requires that the peer reply with one \ 
acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent \ 
in behavior to a ping. Depending on how efficiently this data is queued, this \ 
can consume excess CPU, memory, or both, potentially leading to a denial of \ 
service.
CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of \ 
headers with a 0-length header name and 0-length header value, optionally \ 
Huffman encoded into 1-byte or greater headers. Some implementations allocate \ 
memory for these headers and keep the allocation alive until the session dies. \ 
This can consume excess memory, potentially leading to a denial of service.
CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 \ 
window so the peer can send without constraint; however, they leave the TCP \ 
window closed so the peer cannot actually write (many of) the bytes on the wire. \ 
The attacker then sends a stream of requests for a large response object. \ 
Depending on how the servers queue the responses, this can consume excess \ 
memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames \ 
with an empty payload and without the end-of-stream flag. These frames can be \ 
DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing \ 
each frame disproportionate to attack bandwidth. This can consume excess CPU, \ 
potentially leading to a denial of service.

Version 8.16.0 'Carbon' (LTS):

Notable Changes
n-api:
add API for asynchronous functions
mark thread-safe function as stable