PR-URL: https://github.com/nodejs/node/pull/9107
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated. (Сковорода Никита Андреевич)
* http:
- CVE-2016-5325 - Properly validate for allowable characters in the
`reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses,
users should already be adopting try/catch here. Originally
reported independently by Evan Lucas and Romain Gaucher.
(Evan Lucas)
- Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999. Lack of proper validation may also
serve as a potential response splitting attack vector. Backported
from v4.x. (Brian White)
* openssl: Upgrade to 1.0.1u, fixes a number of defects impacting
Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded
memory growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko
and James Bunton (Atlassian). (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/71
This makes sure that no uninitialized bytes are leaked when the specified
`totalLength` input value is greater than the actual total length of the
specified buffers array, e.g. in Buffer.concat([Buffer.alloc(0)], 100).
PR-URL: https://github.com/nodejs/node-private/pull/67
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rod Vagg <rod@vagg.org>
Use unsigned types for size calculations. Fixes a warning that was
drowning out everything else because zone-inl.h is included in every
source file:
../deps/v8/src/zone-inl.h: In member function 'void* v8::internal::Zone::New(int)':
../deps/v8/src/zone-inl.h:61:32: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (limit < position || size > limit - position) {
PR-URL: https://github.com/nodejs/node-private/pull/62
Reviewed-By: Rod Vagg <rod@vagg.org>
Shifting a negative constant value is no longer allowed unless
the -fpermissive flag is in effect. Fixes the following build
errors:
../deps/v8/src/objects.h:5188:47: warning: left shift of negative value [-Wshift-negative-value]
static const int kElementsKindMask = (-1 << kElementsKindShift) &
../deps/v8/src/objects.h:5188:44: error: left operand of shift expression '(-1 << 3)' is negative [-fpermissive]
static const int kElementsKindMask = (-1 << kElementsKindShift) &
../deps/v8/src/objects.h:7376:39: warning: left shift of negative value [-Wshift-negative-value]
(~kMaxCachedArrayIndexLength << kArrayIndexHashLengthShift) |
../deps/v8/src/objects.h:7376:36: error: left operand of shift expression '(-8 << 26)' is negative [-fpermissive]
(~kMaxCachedArrayIndexLength << kArrayIndexHashLengthShift) |
And:
../deps/v8/src/liveedit.cc:205:44: warning: left shift of negative value [-Wshift-negative-value]
static const int kEmptyCellValue = -1 << kDirectionSizeBits;
../deps/v8/src/liveedit.cc:205:41: error: left operand of shift expression '(-1 << 2)' is negative [-fpermissive]
static const int kEmptyCellValue = -1 << kDirectionSizeBits;
PR-URL: https://github.com/nodejs/node-private/pull/62
Reviewed-By: Rod Vagg <rod@vagg.org>
Incorporates changes from commit e345253 ("tls: better error reporting
at cert validation") to test/simple/test-tls-check-server-identity.js
to make back-porting the patch easier.
CVE-2016-7099
PR-URL: https://github.com/nodejs/node-private/pull/62
Reviewed-By: Rod Vagg <rod@vagg.org>
Previously, the reason argument passed to ServerResponse#writeHead was
not being properly validated. One could pass CRLFs which could lead to
http response splitting. This commit changes the behavior to throw an
error in the event any invalid characters are included in the reason.
CVE-2016-5325
PR-URL: https://github.com/nodejs/node-private/pull/48
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
(cherry picked from commit 9f0f7c38e6df975dd39735d0e9ef968076369c74)
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/joyent/node/pull/25368
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
PR-URL: https://github.com/nodejs/node/pull/8718
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Myles Borins <mborins@us.ibm.com>
This just replaces all sources of openssl-1.0.1u.tar.gz
into deps/openssl/openssl.
PR-URL: https://github.com/nodejs/node/pull/8718
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Myles Borins <mborins@us.ibm.com>
Work around spec violations in V8 where it checks that `this == NULL`.
GCC 6 started exploiting this particular kind of UB, resulting in
runtime crashes.
Fixes: https://github.com/nodejs/node/issues/6724
PR-URL: https://github.com/nodejs/node/pull/6738
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Some of the logic from `zone.cc` is found in `zone-inl.h` in this
release stream.
Original commit message:
Fix overflow issue in Zone::New
When requesting a large allocation near the end of the address space,
the computation could overflow and erroneously *not* grow the Zone
as required.
BUG=chromium:606115
LOG=y
Review-Url: https://codereview.chromium.org/1930873002
Cr-Commit-Position: refs/heads/master@{#35903}
PR-URL: https://github.com/nodejs/node-private/pull/43
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rod Vagg <rod@vagg.org>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
(cherry picked from commit 9f0f7c38e6df975dd39735d0e9ef968076369c74)
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/joyent/node/pull/25368
Notable changes:
* npm: Upgrade to v2.15.1. IMPORTANT: This is a major upgrade to npm
v2 LTS from the previously deprecated npm v1. (Forrest L Norvell)
* npm: Upgrade to v2.15.1. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an attacker
to set up a server that could collect tokens from users of the
command-line interface. Authentication tokens have previously been
sent with every request made by the CLI for logged-in users,
regardless of the destination of the request. This update fixes this
by only including those tokens for requests made against the
registry or registries used for the current install. IMPORTANT:
This is a major upgrade to npm v2 LTS from the previously deprecated
npm v1. (Forrest L Norvell) https://github.com/nodejs/node/pull/5967
* openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they
are obsolete and not considered safe. This release of Node.js turns
on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers
included in these lists which can be used in SSLv3 and higher. Full
details can be found in our LTS discussion on the matter
(https://github.com/nodejs/LTS/issues/85).
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712
PR-URL: https://github.com/nodejs/node/pull/5968
DES-CBC-SHA is LOW cipher and disabled by default and it is used in
tests of hornorcipherorder. They are changed as to
- use RC4-SHA instead of DES-CBC-SHA.
- add AES128-SHA to entries to keep the number of ciphers.
- remove tests for non-default cipher because only SEED and IDEA are
available in !RC4:!HIGH:ALL.
Fixes: https://github.com/nodejs/LTS/issues/85
PR-URL: https://github.com/nodejs/node/pull/5712
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Invoke MSBuild specifying the target platform as generated by Gyp.
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/5627
Notable changes:
* http_parser: Update to http-parser 1.2 to fix an unintentionally
strict limitation of allowable header characters.
(James M Snell) https://github.com/nodejs/node/pull/5242
* domains:
- Prevent an exit due to an exception being thrown rather than
emitting an 'uncaughtException' event on the `process` object when
no error handler is set on the domain within which an error is
thrown and an 'uncaughtException' event listener is set on
`process`. (Julien Gilli) https://github.com/nodejs/node/pull/3887
- Fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and `--abort-on-uncaught-exception` is used.
(Julien Gilli) https://github.com/nodejs/node/pull/3887
* openssl: Upgrade from 1.0.1r to 1.0.1s
(Ben Noordhuis) https://github.com/nodejs/node/pull/5508
- Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is
likely to be very difficult to use this defect for a practical
attack and is therefore considered low severity for Node.js users.
More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code
paths that use these functions so practical attacks via Node.js
using this defect are _unlikely_ to be possible. More info is
available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible.
This defect enables attackers to execute side-channel attacks
leading to the potential recovery of entire RSA private keys. It
only affects the Intel Sandy Bridge (and possibly older)
microarchitecture when using hyper-threading. Newer
microarchitectures, including Haswell, are unaffected. More info
is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702
- Remove SSLv2 support, the `--enable-ssl2` command line argument
will now produce an error. The DROWN Attack
(https://drownattack.com/) creates a vulnerability where SSLv2 is
enabled by a server, even if a client connection is not using
SSLv2. The SSLv2 protocol is widely considered unacceptably broken
and should not be supported. More information is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0800
PR-URL: https://github.com/nodejs/node/pull/5404
Set the Connection header to 'close' to work around a v0.10 quirk.
Prevents the test from timing out due to a still open TCP connection.
Test introduced in 1e45a61 ("deps: update http-parser to version 1.2").
PR-URL: https://github.com/nodejs/node/pull/5511
Reviewed-By: James M Snell <jasnell@gmail.com>
Fixes http-parser regression with IS_HEADER_CHAR check
Add test case for obstext characters (> 0x80) in header
PR-URL: https://github.com/nodejs/node/pull/5242
Reviewed-By: Rod Vagg <rod@vagg.org>
Fix node exiting due to an exception being thrown rather than emitting
an 'uncaughtException' event on the process object when:
1. no error handler is set on the domain within which an error is thrown
2. an 'uncaughtException' event listener is set on the process
Also fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and --abort-on-uncaught-exception is used.
Fixes#3607 and #3653.
PR: #3887
PR-URL: https://github.com/nodejs/node/pull/3887
Reviewed-By: James M Snell <jasnell@gmail.com>