`git-secure-tag` recursively constructs an SHA-512 digest out of the
git tree, and puts the hash from the tree's root into the tag
annotation. This hash provides better integrity guarantees than the
default SHA-1 merkle tree that git uses.
Fix: #7579
PR-URL: https://github.com/nodejs/node/pull/7603
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
piscisaureus has voluntarily stepped-down from the CTC
PR-URL: https://github.com/nodejs/node/pull/7969
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Add language identifying a request for voluntary resignation as the
typical mechanism for addressing inactive CTC members.
PR-URL: https://github.com/nodejs/node/pull/7720
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Julien Gilli <jgilli@nodejs.org>
Reviewed-By: James M Snell <jasnell@gmail.com>
Provide example activities to better distinguish Collaborator activities
from CTC member activities.
PR-URL: https://github.com/nodejs/node/pull/7744
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Julien Gilli <jgilli@nodejs.org>
CTC quorum rules were not in writing. There was an informal
understanding between CTC members. Document the rules to avoid
differences in interpretation.
PR-URL: https://github.com/nodejs/node/pull/7813
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Julien Gilli <jgilli@nodejs.org>
There has been some question about whether the #node.js irc channel
falls under the TSC oversight or not.
See: https://github.com/nodejs/node/issues/7746
This clarifies that the #node.js irc channel is a community provided
resource that is not currently directly under the oversight of the
TSC/CTC.
PR-URL: https://github.com/nodejs/node/pull/7810
Reviewed-By: Bryan Hughes <bryan@nebri.us>
Reviewed-By: Julien Gilli <jgilli@nodejs.org>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
The arguments object is not created for arrow functions so the example
was incorrect.
PR-URL: https://github.com/nodejs/node/pull/7674
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/8060
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
`POST_STATUS_TO_PR` previously did not work.
Now it works.
Update the onboarding documentation accordingly.
PR-URL: https://github.com/nodejs/node/pull/8059
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Extend linting to tools/license2rtf.js and any other JS that gets added
to the `tools` directory by default.
This incidentally simplifies lint invocation.
Ref: https://github.com/nodejs/node/pull/8349
PR-URL: https://github.com/nodejs/node/pull/7647
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
We will be introducing many more critical sections in the upcoming
multi-isolate changes, so let's make manual synchronization a thing
of the past.
PR-URL: https://github.com/nodejs/node/pull/7334
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Set the `req.buffer` property, which serves as a way of keeping
a `Buffer` alive that is being written to a stream, on the C++
side instead of the JS side.
This closes a hole where buffers that were temporarily created
in order to write strings with uncommon encodings (e.g. `hex`)
were passed to the native side without being set as `req.buffer`.
Fixes: https://github.com/nodejs/node/issues/8251
PR-URL: https://github.com/nodejs/node/pull/8252
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This change is in preparation for lint enforcement of brace style.
PR-URL: https://github.com/nodejs/node/pull/8348
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
This change is in preparation for lint-enforced brace style.
PR-URL: https://github.com/nodejs/node/pull/8348
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Since I was doing the necessary git archaeology anyway, I took the time
to add YAML information to the docs about when `addMembership()` and
`dropMembership()` first appeared in their current forms.
PR-URL: https://github.com/nodejs/node/pull/6753
Ref: https://github.com/nodejs/node/issues/6578
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Use `msvs_settings.MASM.UseSafeExceptionHandlers` when building OpenSSL
assembly code on Windows. This option appends `/safeseh` to the list of
assembler flags when building `.asm` files on Windows.
Having this option in place, separate rules in `masm_compile.gypi` are
no longer needed.
Fix: #7426
PR-URL: https://github.com/nodejs/node/pull/7427
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Bert Belder <bertbelder@gmail.com>
Inspect boxed symbol objects in the same way other boxed primitives
are inspected.
Fixes: https://github.com/nodejs/node/issues/7639
PR-URL: https://github.com/nodejs/node/pull/7641
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
The function objects encapsulating `isIPv4` and `isIPv6` are not
necessary. They can be directly exposed from `cares`.
PR-URL: https://github.com/nodejs/node/pull/7481
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Exclude tests for AIX in 4.x stream now that
its been added to regular regression runs. This
will avoid known failures from making the build
look RED while also being able to catch any
new regressions if they are introduced.
PR-URL: https://github.com/nodejs/node/pull/8076
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Joao Reis <reis@janeasystems.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Minor rewording related to making a server listen to a random port,
and added how to retrieve which port was randomly chosen by the OS.
Also changed documented `server.listen()` signature as it does in fact
not require `port` to be provided.
PR-URL: https://github.com/nodejs/node/pull/8025
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Manual backport from master to 4.x stream, original
commit message follows.
I often want to run a test many times to see if a failure
can be recreated and I believe this is a common
use case. We even have this job in the CI
https://ci.nodejs.org/job/node-stress-single-test/configure
but often you want to run it on a specific machine.
This patch adds the --repeat option so that
you can repeat the selected set of tests a
number of times. Given existing options
in test.py this will allow you to run
one or more tests for the number of
repeats specified. For example:
tools/test.py -j8 --repeat 1000 parallel/test-process-exec-argv
runs the test-process-exec-argv test 1000 times,
running 8 copies in parallel
tools/test.py --repeat 2
would run the entire test suite twice.
PR-URL: https://github.com/nodejs/node/pull/6700
Reviewed-By: Ben Noorhduis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: thefourtheye - Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: joaocgreis - João Reis <reis@janeasystems.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Add an option to the configure script for building d8. Useful for
testing V8 standalone.
PR-URL: https://github.com/nodejs/node/pull/7538
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable Changes
Semver Minor:
* openssl:
- Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8714
- Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
a crash when using CRLs, CVE-2016-7052.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8786
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted into
Node.js at runtime by masquerading as one of the dynamic engine
modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/70
* http: CVE-2016-5325 - Properly validate for allowable characters in
the `reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses, users
should already be adopting try/catch here. Originally reported
independently by Evan Lucas and Romain Gaucher.
(Evan Lucas) https://github.com/nodejs/node-private/pull/46
Semver Patch:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated.
(Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/65
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko and
James Bunton (Atlassian).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/63
PR-URL: https://github.com/nodejs/node-private/pull/74
Compile out hardware engines. Most are stubs that dynamically load
the real driver but that poses a security liability when an attacker
is able to create a malicious DLL in one of the default search paths.
PR-URL: https://github.com/nodejs/node-private/pull/70
Reviewed-By: James Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Joao Reis <reis@janeasystems.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
This makes sure that no uninitialized bytes are leaked when the specified
`totalLength` input value is greater than the actual total length of the
specified buffers array, e.g. in Buffer.concat([Buffer.alloc(0)], 100).
PR-URL: https://github.com/nodejs/node-private/pull/65
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rod Vagg <rod@vagg.org>
Previously, the reason argument passed to ServerResponse#writeHead was
not being properly validated. One could pass CRLFs which could lead to
http response splitting. This commit changes the behavior to throw an
error in the event any invalid characters are included in the reason.
CVE-2016-5325
PR-URL: https://github.com/nodejs/node-private/pull/46
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
Fixes: https://github.com/nodejs/io.js/issues/1461
PR-URL: https://github.com/nodejs/io.js/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>