From 0e0aa28871732c57a2e11bd6e4371f8f98331e41 Mon Sep 17 00:00:00 2001 From: James M Snell Date: Mon, 8 Feb 2016 12:57:03 -0800 Subject: [PATCH] 2016-02-09, Version 0.10.42 (Maintenance) This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities. Notable changes: * http: fix defects in HTTP header parsing for requests and responses that can allow request smuggling (CVE-2016-2086) or response splitting (CVE-2016-2216). HTTP header parsing now aligns more closely with the HTTP spec including restricting the acceptable characters. * http-parser: upgrade from 1.0 to 1.1 * openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the Logjam attack, TLS clients now reject Diffie-Hellman handshakes with parameters shorter than 1024-bits, up from the previous limit of 768-bits. * src: - introduce new `--security-revert={cvenum}` command line flag for selective reversion of specific CVE fixes - allow the fix for CVE-2016-2216 to be selectively reverted using `--security-revert=CVE-2016-2216` * build: - xz compressed tar files will be made available from nodejs.org for v0.10 builds from v0.10.42 onward - A headers.tar.gz file will be made available from nodejs.org for v0.10 builds from v0.10.42 onward, a future change to node-gyp will be required to make use of these PR-URL: https://github.com/nodejs/node-private/pull/25 --- ChangeLog | 27 +++++++++++++++++++++++++++ src/node_version.h | 2 +- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c533b997b3..3c6adb669b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,30 @@ +2016-02-09, Version 0.10.42 (Maintenance), @jasnell + +This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities. + +Notable changes: + +* http: fix defects in HTTP header parsing for requests and responses that can allow request smuggling (CVE-2016-2086) or response splitting (CVE-2016-2216). HTTP header parsing now aligns more closely with the HTTP spec including restricting the acceptable characters. +* http-parser: upgrade from 1.0 to 1.1 +* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the Logjam attack, TLS clients now reject Diffie-Hellman handshakes with parameters shorter than 1024-bits, up from the previous limit of 768-bits. +* src: + - introduce new `--security-revert={cvenum}` command line flag for selective reversion of specific CVE fixes + - allow the fix for CVE-2016-2216 to be selectively reverted using `--security-revert=CVE-2016-2216` +* build: + - xz compressed tar files will be made available from nodejs.org for v0.10 builds from v0.10.42 onward + - A headers.tar.gz file will be made available from nodejs.org for v0.10 builds from v0.10.42 onward, a future change to node-gyp will be required to make use of these + +Commits: + +* [fdc332183e] - build: enable xz compressed tarballs where possible (Rod Vagg) https://github.com/nodejs/node/pull/4894 +* [2d35b421b5] - deps: upgrade openssl sources to 1.0.1r (Shigeki Ohtsu) https://github.com/joyent/node/pull/25368 +* [b31c0f3ea4] - deps: update http-parser to version 1.1 (James M Snell) +* [616ec1d6b0] - doc: clarify v0.10.41 openssl tls security impact (Rod Vagg) https://github.com/nodejs/node/pull/4153 +* [ccb3c2377c] - http: strictly forbid invalid characters from headers (James M Snell) +* [f0af0d1f96] - src: avoid compiler warning in node_revert.cc (James M Snell) +* [df80e856c6] - src: add --security-revert command line flag (James M Snell) +* [ff58dcdd74] - tools: backport tools/install.py for headers (Richard Lau) https://github.com/nodejs/node/pull/4149 + 2015-12-04, Version 0.10.41 (Maintenance), @rvagg Security Update diff --git a/src/node_version.h b/src/node_version.h index e663a08b6d..3e9ea34b97 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -26,7 +26,7 @@ #define NODE_MINOR_VERSION 10 #define NODE_PATCH_VERSION 42 -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)