Browse Source

Working on v0.10.48

v0.10
Rod Vagg 8 years ago
parent
commit
703a906acd
  1. 2
      ChangeLog
  2. 4
      src/node_version.h

2
ChangeLog

@ -8,7 +8,7 @@ Notable changes:
* http:
- CVE-2016-5325 - Properly validate for allowable characters in the `reason` argument in `ServerResponse#writeHead()`. Fixes a possible response splitting attack vector. This introduces a new case where `throw` may occur when configuring HTTP responses, users should already be adopting try/catch here. Originally reported independently by Evan Lucas and Romain Gaucher. (Evan Lucas)
- Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999. Lack of proper validation may also serve as a potential response splitting attack vector. Backported from v4.x. (Brian White)
* openssl: Upgrade to 1.0.1u, fixes a number of defects impacting Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded memory growth", high severity), CVE-2016-2183, CVE-2016-2183, CVE-2016-2178 and CVE-2016-6306.
* openssl: Upgrade to 1.0.1u, fixes a number of defects impacting Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded memory growth", high severity), CVE-2016-2183, CVE-2016-6303, CVE-2016-2178 and CVE-2016-6306.
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation check whereby a TLS server may be able to serve an invalid wildcard certificate for its hostname due to improper validation of `*.` in the wildcard string. Originally reported by Alexander Minozhenko and James Bunton (Atlassian) (Ben Noordhuis)
Commits:

4
src/node_version.h

@ -24,9 +24,9 @@
#define NODE_MAJOR_VERSION 0
#define NODE_MINOR_VERSION 10
#define NODE_PATCH_VERSION 47
#define NODE_PATCH_VERSION 48
#define NODE_VERSION_IS_RELEASE 1
#define NODE_VERSION_IS_RELEASE 0
#ifndef NODE_STRINGIFY
#define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)

Loading…
Cancel
Save