2016-02-09, Version 0.12.10 (LTS)

This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities. Notable changes: * http: fix defects in HTTP header parsing for requests and responses that can allow request smuggling (CVE-2016-2086) or response splitting (CVE-2016-2216). HTTP header parsing now aligns more closely with the HTTP spec including restricting the acceptable characters. * http-parser: upgrade from 2.3.0 to 2.3.1 * openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the Logjam attack, TLS clients now reject Diffie-Hellman handshakes with parameters shorter than 1024-bits, up from the previous limit of 768-bits. * src: - introduce new `--security-revert={cvenum}` command line flag for selective reversion of specific CVE fixes - allow the fix for CVE-2016-2216 to be selectively reverted using `--security-revert=CVE-2016-2216` * build: - xz compressed tar files will be made available from nodejs.org for v0.12 builds from v0.12.10 onward - A headers.tar.gz file will be made available from nodejs.org for v0.12 builds from v0.12.10 onward, a future change to node-gyp will be required to make use of these PR-URL: https://github.com/nodejs/node-private/pull/24
9 years ago · 2dc89da504
1 changed files with 27 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,32 @@
 # Node.js ChangeLog
 ## 2016-02-09, Version 0.12.10 (LTS), @jasnell
 This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities.
 ### Notable changes
 * http: fix defects in HTTP header parsing for requests and responses that can allow request smuggling (CVE-2016-2086) or response splitting (CVE-2016-2216). HTTP header parsing now aligns more closely with the HTTP spec including restricting the acceptable characters.
 * http-parser: upgrade from 2.3.0 to 2.3.1
 * openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the Logjam attack, TLS clients now reject Diffie-Hellman handshakes with parameters shorter than 1024-bits, up from the previous limit of 768-bits.
 * src:
  - introduce new `--security-revert={cvenum}` command line flag for selective reversion of specific CVE fixes
  - allow the fix for CVE-2016-2216 to be selectively reverted using `--security-revert=CVE-2016-2216`
 * build:
  - xz compressed tar files will be made available from nodejs.org for v0.12 builds from v0.12.10 onward
  - A headers.tar.gz file will be made available from nodejs.org for v0.12 builds from v0.12.10 onward, a future change to node-gyp will be required to make use of these
 ### Commits
 * [4312848bff] - build: enable xz compressed tarballs where possible (Rod Vagg) https://github.com/nodejs/node/pull/4894
 * [247626245c] - deps: upgrade openssl sources to 1.0.1r (Shigeki Ohtsu) https://github.com/joyent/node/pull/25368
 * [744c9749fc] - deps: update http-parser to version 2.3.1 (James M Snell)
 * [d1c56ec7d1] - doc: clarify v0.12.9 notable items (Rod Vagg) https://github.com/nodejs/node/pull/4154
 * [e128d9a5b4] - http: strictly forbid invalid characters from headers (James M Snell)
 * [bdb9f2cf89] - src: avoiding compiler warnings in node_revert.cc (James M Snell)
 * [23bced1fb3] - src: add --security-revert command line flag (James M Snell)
 * [f41a3c73e7] - tools: backport tools/install.py for headers (Richard Lau) https://github.com/nodejs/node/pull/4149
 ## 2016-02-09, Version 0.10.42 (Maintenance), @jasnell
 This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities.