lukechilds
/
node
mirror of https://github.com/lukechilds/node.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

2016-02-09, Version 0.10.42 (Maintenance) 

This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.

Notable changes:

* http: fix defects in HTTP header parsing for requests and responses
  that can allow request smuggling (CVE-2016-2086) or response
  splitting (CVE-2016-2216). HTTP header parsing now aligns more
  closely with the HTTP spec including restricting the acceptable
  characters.
* http-parser: upgrade from 1.0 to 1.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
  Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
  parameters shorter than 1024-bits, up from the previous limit of
  768-bits.
* src:
  - introduce new `--security-revert={cvenum}` command line flag for
    selective reversion of specific CVE fixes
  - allow the fix for CVE-2016-2216 to be selectively reverted using
    `--security-revert=CVE-2016-2216`
* build:
  - xz compressed tar files will be made available from nodejs.org for
    v0.10 builds from v0.10.42 onward
  - A headers.tar.gz file will be made available from nodejs.org for
    v0.10 builds from v0.10.42 onward, a future change to node-gyp
    will be required to make use of these

PR-URL: https://github.com/nodejs/node-private/pull/25
process-exit-stdio-flushing
James M Snell 9 years ago
parent
b5b5bb1e3c
commit
bc86c5675b
1 changed files with 27 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 27
      CHANGELOG.md

27
CHANGELOG.md
View File

@ -1,5 +1,32 @@
# Node.js ChangeLog
## 2016-02-09, Version 0.10.42 (Maintenance), @jasnell
This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities.
### Notable changes
* http: fix defects in HTTP header parsing for requests and responses that can allow request smuggling (CVE-2016-2086) or response splitting (CVE-2016-2216). HTTP header parsing now aligns more closely with the HTTP spec including restricting the acceptable characters.
* http-parser: upgrade from 1.0 to 1.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the Logjam attack, TLS clients now reject Diffie-Hellman handshakes with parameters shorter than 1024-bits, up from the previous limit of 768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using `--security-revert=CVE-2016-2216`
* build:
- xz compressed tar files will be made available from nodejs.org for v0.10 builds from v0.10.42 onward
- A headers.tar.gz file will be made available from nodejs.org for v0.10 builds from v0.10.42 onward, a future change to node-gyp will be required to make use of these
### Commits
* [fdc332183e] - build: enable xz compressed tarballs where possible (Rod Vagg) https://github.com/nodejs/node/pull/4894
* [2d35b421b5] - deps: upgrade openssl sources to 1.0.1r (Shigeki Ohtsu) https://github.com/joyent/node/pull/25368
* [b31c0f3ea4] - deps: update http-parser to version 1.1 (James M Snell)
* [616ec1d6b0] - doc: clarify v0.10.41 openssl tls security impact (Rod Vagg) https://github.com/nodejs/node/pull/4153
* [ccb3c2377c] - http: strictly forbid invalid characters from headers (James M Snell)
* [f0af0d1f96] - src: avoid compiler warning in node_revert.cc (James M Snell)
* [df80e856c6] - src: add --security-revert command line flag (James M Snell)
* [ff58dcdd74] - tools: backport tools/install.py for headers (Richard Lau) https://github.com/nodejs/node/pull/4149
## 2016-01-21, Version 4.2.6 'Argon' (LTS), @TheAlphaNerd
### Notable changes

Write Preview
Loading…
Cancel
Save