<li><p>unix: don't flush tty on switch to raw mode (Ben Noordhuis)</p>
<li><p>unix: don't flush tty on switch to raw mode (Ben Noordhuis)</p>
</li>
<li><p>windows: reset brightness when reverting to default text color (Bert Belder)</p>
</li>
<li><p>npm: update to 1.1.1</p>
<p>- Update which, fstream, mkdirp, request, and rimraf<br>- Fix #2123 Set path properly for lifecycle scripts on windows<br>- Mark the root as seen, so we don't recurse into it. Fixes #1838. (Martin Cooper)</p>
<p>- Update which, fstream, mkdirp, request, and rimraf<br>- Fix #2123 Set path properly for lifecycle scripts on windows<br>- Mark the root as seen, so we don't recurse into it. Fixes #1838. (Martin Cooper)</p>
<p>Please try out this release. There will be very virtually no changes between this and the v0.8.x release family. This is the last chance to comment before it is locked down for stability. The API is effectively frozen now. </p>
<p>This version adds backwards-compatible shims for binary addons that use libeio and libev directly. If you find that binary modules that could compile on v0.6 can not compile on this version, please let us know. Note that libev is officially deprecated in v0.8, and will be removed in v0.9. You should be porting your modules to use libuv as soon as possible. </p>
<p>V8 is on 3.11.10 currently, and will remain on the V8 3.11.x branch for the duration of Node v0.8.x. </p>
<ul><li><p>npm: Upgrade to 1.1.30<br> - Improved 'npm init'<br> - Fix the 'cb never called' error from 'oudated' and 'update'<br> - Add --save-bundle|-B config<br> - Fix isaacs/npm#2465: Make npm script and windows shims cygwin-aware<br> - Fix isaacs/npm#2452 Use --save(-dev|-optional) in npm rm<br> - <code>logstream</code> option to replace removed <code>logfd</code> (Rod Vagg)<br> - Read default descriptions from README.md files </p>
<ul><li><p>npm: Upgrade to 1.1.30<br> - Improved 'npm init'<br> - Fix the 'cb never called' error from 'oudated' and 'update'<br> - Add --save-bundle|-B config<br> - Fix isaacs/npm#2465: Make npm script and windows shims cygwin-aware<br> - Fix isaacs/npm#2452 Use --save(-dev|-optional) in npm rm<br> - <code>logstream</code> option to replace removed <code>logfd</code> (Rod Vagg)<br> - Read default descriptions from README.md files </p>
</li><li><p>Shims to support deprecated <code>ev_*</code> and <code>eio_*</code> methods (Ben Noordhuis)</p>
</li><li><p>#3118 net.Socket: Delay pause/resume until after connect (isaacs)</p>
</li><li><p>#3465 Add ./configure --no-ifaddrs flag (isaacs)</p>
<p>A few weeks ago, Matthew Daley found a security vulnerability in Node's HTTP implementation, and thankfully did the responsible thing and reported it to us via email. He explained it quite well, so I'll quote him here:</p>
<p>A few weeks ago, Matthew Daley found a security vulnerability in Node's HTTP implementation, and thankfully did the responsible thing and reported it to us via email. He explained it quite well, so I'll quote him here:</p>
<blockquote>
<p>There is a vulnerability in node's `http_parser` binding which allows information disclosure to a remote attacker:
<p>There is a vulnerability in node's `http_parser` binding which allows information disclosure to a remote attacker:
</p>
<p>In node::StringPtr::Update, an attempt is made at an optimization on certain inputs (`node_http_parser.cc`, line 151). The intent is that if the current string pointer plus the current string size is equal to the incoming string pointer, the current string size is just increased to match, as the incoming string lies just beyond the current string pointer. However, the check to see whether or not this can be done is incorrect; "size" is used whereas "size_" should be used. Therefore, an attacker can call Update with a string of certain length and cause the current string to have other data appended to it. In the case of HTTP being parsed out of incoming socket data, this can be incoming data from other sockets.
@ -41,5 +41,5 @@ X header:
</blockquote>
<p>The fix landed on <ahref="https://github.com/joyent/node/commit/7b3fb22">7b3fb22</a> and <ahref="https://github.com/joyent/node/commit/c9a231d">c9a231d</a>, for master and v0.6, respectively. The innocuous commit message does not give away the security implications, precisely because we wanted to get a fix out before making a big deal about it. </p>
<p>The first releases with the fix are v0.7.8 and 0.6.17. So now is a good time to make a big deal about it. </p>
<p>If you are using node version 0.6 in production, please upgrade to at least <ahref="http://blog.nodejs.org/2012/05/04/version-0-6-17-stable/">v0.6.17</a>, or at least apply the fix in <ahref="https://github.com/joyent/node/commit/c9a231d">c9a231d</a> to your system. (Version 0.6.17 also fixes some other important bugs, and is without doubt the most stable release of Node 0.6 to date, so it's a good idea to upgrade anyway.) </p>
<p>I'm extremely grateful that Matthew took the time to report the problem to us with such an elegant explanation, and in such a way that we had a reasonable amount of time to fix the issue before making it public. </p>
<p>If you are using node version 0.6 in production, please upgrade to at least <ahref="http://blog.nodejs.org/2012/05/04/version-0-6-17-stable/">v0.6.17</a>, or at least apply the fix in <ahref="https://github.com/joyent/node/commit/c9a231d">c9a231d</a> to your system. (Version 0.6.17 also fixes some other important bugs, and is without doubt the most stable release of Node 0.6 to date, so it's a good idea to upgrade anyway.) </p>
<p>I'm extremely grateful that Matthew took the time to report the problem to us with such an elegant explanation, and in such a way that we had a reasonable amount of time to fix the issue before making it public. </p>
Bert Belder
13 years ago
Ben Noordhuis