lukechilds
/
node
mirror of https://github.com/lukechilds/node.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

2016-03-04 Version 0.10.43 (Maintenance) Release 

Notable changes:

* http_parser: Update to http-parser 1.2 to fix an unintentionally
  strict limitation of allowable header characters.
  (James M Snell) https://github.com/nodejs/node/pull/5242
* domains:
  - Prevent an exit due to an exception being thrown rather than
  emitting an 'uncaughtException' event on the `process` object when
  no error handler is set on the domain within which an error is
  thrown and an 'uncaughtException' event listener is set on
  `process`. (Julien Gilli) https://github.com/nodejs/node/pull/3887
  - Fix an issue where the process would not abort in the proper
  function call if an error is thrown within a domain with no error
  handler and `--abort-on-uncaught-exception` is used.
  (Julien Gilli) https://github.com/nodejs/node/pull/3887
* openssl: Upgrade from 1.0.1r to 1.0.1s
  (Ben Noordhuis) https://github.com/nodejs/node/pull/5508
  - Fix a double-free defect in parsing malformed DSA keys that may
    potentially be used for DoS or memory corruption attacks. It is
    likely to be very difficult to use this defect for a practical
    attack and is therefore considered low severity for Node.js users.
    More info is available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0705
  - Fix a defect that can cause memory corruption in certain very rare
    cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
    functions. It is believed that Node.js is not invoking the code
    paths that use these functions so practical attacks via Node.js
    using this defect are _unlikely_ to be possible. More info is
    available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0797
  - Fix a defect that makes the CacheBleed Attack
    (https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible.
    This defect enables attackers to execute side-channel attacks
    leading to the potential recovery of entire RSA private keys. It
    only affects the Intel Sandy Bridge (and possibly older)
    microarchitecture when using hyper-threading. Newer
    microarchitectures, including Haswell, are unaffected. More info
    is available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0702
  - Remove SSLv2 support, the `--enable-ssl2` command line argument
    will now produce an error. The DROWN Attack
    (https://drownattack.com/) creates a vulnerability where SSLv2 is
    enabled by a server, even if a client connection is not using
    SSLv2. The SSLv2 protocol is widely considered unacceptably broken
    and should not be supported. More information is available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0800

PR-URL: https://github.com/nodejs/node/pull/5404
v0.10 v0.10.43
Rod Vagg 9 years ago
parent
164157abbb
commit
3123e9a6df
2 changed files with 25 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 24
      ChangeLog
  2. 2
      src/node_version.h

24
ChangeLog
View File

@ -1,3 +1,27 @@
2016-03-04, Version 0.10.43 (Maintenance), @rvagg
Notable changes:
* http_parser: Update to http-parser 1.2 to fix an unintentionally strict limitation of allowable header characters. (James M Snell) https://github.com/nodejs/node/pull/5242
* domains:
- Prevent an exit due to an exception being thrown rather than emitting an `'uncaughtException'` event on the `process` object when no error handler is set on the domain within which an error is thrown and an `'uncaughtException'` event listener is set on `process`. (Julien Gilli) https://github.com/nodejs/node/pull/3887
- Fix an issue where the process would not abort in the proper function call if an error is thrown within a domain with no error handler and `--abort-on-uncaught-exception` is used. (Julien Gilli) https://github.com/nodejs/node/pull/3887
* openssl: Upgrade from 1.0.1r to 1.0.1s (Ben Noordhuis) https://github.com/nodejs/node/pull/5508
- Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely_ to be possible. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack (https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0702
- Remove SSLv2 support, the `--enable-ssl2` command line argument will now produce an error. The DROWN Attack (https://drownattack.com/) creates a vulnerability where SSLv2 is enabled by a server, even if a client connection is not using SSLv2. The SSLv2 protocol is widely considered unacceptably broken and should not be supported. More information is available at https://www.openssl.org/news/vulnerabilities.html#2016-0800
Commits:
* [164157abbb] - build: update Node.js logo on OSX installer (Rod Vagg) https://github.com/nodejs/node/pull/5401
* [f8cb0dcf67] - crypto,tls: remove SSLv2 support (Ben Noordhuis) https://github.com/nodejs/node/pull/5529
* [42ded2a590] - deps: upgrade openssl to 1.0.1s (Ben Noordhuis) https://github.com/nodejs/node/pull/5508
* [1e45a6111c] - deps: update http-parser to version 1.2 (James M Snell) https://github.com/nodejs/node/pull/5242
* [6db377b2f4] - doc: remove SSLv2 descriptions (Shigeki Ohtsu) https://github.com/nodejs/node/pull/5541
* [563c359f5c] - domains: fix handling of uncaught exceptions (Julien Gilli) https://github.com/nodejs/node/pull/3887
* [e483f3fd26] - test: fix hanging http obstext test (Ben Noordhuis) https://github.com/nodejs/node/pull/5511
2016-02-09, Version 0.10.42 (Maintenance), @jasnell 2016-02-09, Version 0.10.42 (Maintenance), @jasnell
This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities. This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities.

2
src/node_version.h
View File

@ -26,7 +26,7 @@
#define NODE_MINOR_VERSION 10 #define NODE_MINOR_VERSION 10
#define NODE_PATCH_VERSION 43 #define NODE_PATCH_VERSION 43
#define NODE_VERSION_IS_RELEASE 0 #define NODE_VERSION_IS_RELEASE 1
#ifndef NODE_STRINGIFY #ifndef NODE_STRINGIFY
#define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n) #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)

Write Preview
Loading…
Cancel
Save