Browse Source

2016-02-09, Version 0.10.42 (Maintenance)

This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.

Notable changes:

* http: fix defects in HTTP header parsing for requests and responses
  that can allow request smuggling (CVE-2016-2086) or response
  splitting (CVE-2016-2216). HTTP header parsing now aligns more
  closely with the HTTP spec including restricting the acceptable
  characters.
* http-parser: upgrade from 1.0 to 1.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
  Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
  parameters shorter than 1024-bits, up from the previous limit of
  768-bits.
* src:
  - introduce new `--security-revert={cvenum}` command line flag for
    selective reversion of specific CVE fixes
  - allow the fix for CVE-2016-2216 to be selectively reverted using
    `--security-revert=CVE-2016-2216`
* build:
  - xz compressed tar files will be made available from nodejs.org for
    v0.10 builds from v0.10.42 onward
  - A headers.tar.gz file will be made available from nodejs.org for
    v0.10 builds from v0.10.42 onward, a future change to node-gyp
    will be required to make use of these

PR-URL: https://github.com/nodejs/node-private/pull/25
process-exit-stdio-flushing
James M Snell 9 years ago
parent
commit
bc86c5675b
  1. 27
      CHANGELOG.md

27
CHANGELOG.md

@ -1,5 +1,32 @@
# Node.js ChangeLog
## 2016-02-09, Version 0.10.42 (Maintenance), @jasnell
This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities.
### Notable changes
* http: fix defects in HTTP header parsing for requests and responses that can allow request smuggling (CVE-2016-2086) or response splitting (CVE-2016-2216). HTTP header parsing now aligns more closely with the HTTP spec including restricting the acceptable characters.
* http-parser: upgrade from 1.0 to 1.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the Logjam attack, TLS clients now reject Diffie-Hellman handshakes with parameters shorter than 1024-bits, up from the previous limit of 768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using `--security-revert=CVE-2016-2216`
* build:
- xz compressed tar files will be made available from nodejs.org for v0.10 builds from v0.10.42 onward
- A headers.tar.gz file will be made available from nodejs.org for v0.10 builds from v0.10.42 onward, a future change to node-gyp will be required to make use of these
### Commits
* [fdc332183e] - build: enable xz compressed tarballs where possible (Rod Vagg) https://github.com/nodejs/node/pull/4894
* [2d35b421b5] - deps: upgrade openssl sources to 1.0.1r (Shigeki Ohtsu) https://github.com/joyent/node/pull/25368
* [b31c0f3ea4] - deps: update http-parser to version 1.1 (James M Snell)
* [616ec1d6b0] - doc: clarify v0.10.41 openssl tls security impact (Rod Vagg) https://github.com/nodejs/node/pull/4153
* [ccb3c2377c] - http: strictly forbid invalid characters from headers (James M Snell)
* [f0af0d1f96] - src: avoid compiler warning in node_revert.cc (James M Snell)
* [df80e856c6] - src: add --security-revert command line flag (James M Snell)
* [ff58dcdd74] - tools: backport tools/install.py for headers (Richard Lau) https://github.com/nodejs/node/pull/4149
## 2016-01-21, Version 4.2.6 'Argon' (LTS), @TheAlphaNerd
### Notable changes

Loading…
Cancel
Save