Notable changes:
* governance: The Core Technical Committee (CTC) added four new members
to help guide Node.js core development: Evan Lucas, Rich Trott, Ali
Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda).
* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis)
https://github.com/nodejs/node/pull/5507
- Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is likely
to be very difficult to use this defect for a practical attack and is
therefore considered low severity for Node.js users. More info is
available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code paths
that use these functions so practical attacks via Node.js using this
defect are _unlikely_ to be possible. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
defect enables attackers to execute side-channel attacks leading to the
potential recovery of entire RSA private keys. It only affects the
Intel Sandy Bridge (and possibly older) microarchitecture when using
hyper-threading. Newer microarchitectures, including Haswell, are
unaffected. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702
* Fixed several regressions that appeared in v5.7.0:
- path.relative():
- Output is no longer unnecessarily verbose (Brian White)
https://github.com/nodejs/node/pull/5389
- Resolving UNC paths on Windows now works correctly (Owen Smith)
https://github.com/nodejs/node/pull/5456
- Resolving paths with prefixes now works correctly from the root
directory (Owen Smith) https://github.com/nodejs/node/pull/5490
- url: Fixed an off-by-one error with `parse()` (Brian White)
https://github.com/nodejs/node/pull/5394
- dgram: Now correctly handles a default address case when offset and
length are specified (Matteo Collina)
https://github.com/nodejs/node/pull/5407
PR-URL: https://github.com/nodejs/node/pull/5464
This is a security release with only a single commit, an update to openssl due to a recent security advisory. You can read more about the security advisory on the Node.js website https://nodejs.org/en/blog/vulnerability/openssl-march-2016/
* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) https://github.com/nodejs/node/pull/5507
- Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at CVE-2016-0705 https://www.openssl.org/news/vulnerabilities.html#2016-0705.
- Fix a defect that can cause memory corruption in certain very rare cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely_ to be possible. More info is available at CVE-2016-0797 https://www.openssl.org/news/vulnerabilities.html#2016-0797.
- Fix a defect that makes the _CacheBleed Atta https://ssrg.nicta.com.au/projects/TS/cachebleed/ _ possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at CVE-2016-0702 https://www.openssl.org/news/vulnerabilities.html#2016-0702.
PR-URL: https://github.com/nodejs/node/pull/5526
Do not treat crypto inputs as `binary` strings, convert them to Buffers
using `new Buffer(..., 'utf8')`, or using newly updated StringBytes
APIs.
PR-URL: https://github.com/nodejs/node/pull/5522
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/5472
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
All eslint rules are configured to report as errors. Remove useless
--quiet flag from eslint invocation in Makefile and vcbuild.bat.
PR-URL: https://github.com/nodejs/node/pull/5519
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Array#pop() is known to be faster than Array#shift().
To be exact, it's O(1) vs. O(n). In this case there's no difference
from which side of the "pool" array the object is retrieved,
so .pop() should be preferred.
PR-URL: https://github.com/nodejs/node/pull/2174
Reviewed-By: mscdex - Brian White <mscdex@mscdex.net>
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
Reviewed-By: ofrobots - Ali Ijaz Sheikh <ofrobots@google.com>
PR-URL: https://github.com/nodejs/node/pull/5410
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Do not try Ubuntu/SUSE/Debian-specific hostnames for IPv6 localhost
unless we are on Linux.
Fixes: https://github.com/nodejs/node/issues/4546
PR-URL: https://github.com/nodejs/node/pull/5471
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Ben Noorhduis <info@bnoordhuis.nl>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Have `make test` run linting tools before tests rather than after. Lint
is likely to find issues quickly. Tests may take a while to run. So do
the linting first.
Refs: https://github.com/nodejs/node/issues/4546#issuecomment-189755007
PR-URL: https://github.com/nodejs/node/pull/5470
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
In order to comply with linting rules used in the rest of the code base,
eliminate redeclared variables. A conservative approach is used so as to
avoid unintentional performance issues (for example, as might be seen in
some situations when using `let` instead of `var`).
PR-URL: https://github.com/nodejs/node/pull/5468
Reviewed-By: Brian White <mscdex@mscdex.net>
Make `HTTPParser` an instance of `AsyncWrap` and make it use
`MakeCallback`. This means that async wrap hooks will be called on
consumed TCP sockets as well as on non-consumed ones.
Additional uses of `AsyncCallbackScope` are necessary to prevent
improper state from progressing that triggers failure in the
test-http-pipeline-flood.js test. Optimally this wouldn't be necessary,
but for the time being it's the most sure way to allow operations to
proceed as they have.
Fix: https://github.com/nodejs/node/issues/4416
PR-URL: https://github.com/nodejs/node/pull/5419
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Change types of all PBKDF2 params to `int` as they are `int` in `evp.h`.
Check that `raw_keylen` fits into `int` before passing it to OpenSSL.
Fix: #5396
PR-URL: https://github.com/nodejs/node/pull/5397
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: Ben Noorhduis <info@bnoordhuis.nl>
Reorder slashed protocols so they are grouped by protocol name. This is
done so it doesn't look like we're duplicating protocol names at the
bottom of the list.
PR-URL: https://github.com/nodejs/node/pull/5380
Reviewed-By: Evan Lucas <evanlucas@me.com>
As mentioned in the comment of the changed file, "a libuv limitation
makes it necessary to bind()". But, that is not the case in this test.
The subsequent call to send() results in an implicit bind().
PR-URL: https://github.com/nodejs/node/pull/5023
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Saúl Ibarra Corretgé <saghul@gmail.com>
The test is still failing sometimes because when trying to establish the
second connection, the server is already closed. Bring back the code
that handled this case and was removed in the last refactoring of the
test. Also ignore the errors that might happen when sending the second
handle to the worker because it may already have exited.
PR-URL: https://github.com/nodejs/node/pull/5422
Reviewed-By: Rich Trott <rtrott@gmail.com>
Fix path.win32.parse("/foo/bar") retuns `{root: '' ...}`(v5.7.0),
but not `{root: '/' ...}`(v5.6.0).
PR-URL: https://github.com/nodejs/node/pull/5484
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Roman Reiss <me@silverwind.io>
`readable.setEncoding(null)` - may be the most preferable way to proxy
a binary data without any encoding/decoding overhead
PR-URL: https://github.com/nodejs/node/pull/5155
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
On strict mode, "'use strict'; void 0; " is added as prefix
in order to prevent "use strict" as the result value
for let/const statements. It causes wrong column number in
stack trace.
PR-URL: https://github.com/nodejs/node/pull/5416
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Fixes a regression introduced by: https://github.com/nodejs/node/pull/4374.
Adds a new test to avoid similar issue in the future.
The test is disabled on windows, because this feature never worked
there.
Fixes: https://github.com/nodejs/node/issues/5398
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Evan Lucas <evanlucas@me.com>
There is a benchmark for the class method `Buffer.compare()` but not for
the instance method `buf.compare()`. This adds that benchmark.
I used this to confirm a performance regression in an implementation I
was considering. While the implementation was a bust, it does seem like
the benchmark is worthwhile.
The benchmark is nearly identical to the existing `Buffer.compare()`
benchmark except, of course, that it calls `buf.compare()` instead.
PR-URL: https://github.com/nodejs/node/pull/5441
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Evan Lucas <evanlucas@me.com>
In the hopes of soon having the benchmark code linted, this change
groups all the likely non-controversial lint-compliance changes such as
indentation, semi-colon usage, and single-vs.-double quotation marks.
Other lint rules may have subtle performance implications in the V8
currently shipped with Node.js. Those changes will require more careful
review and will be in a separate change.
PR-URL: https://github.com/nodejs/node/pull/5429
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Brian White <mscdex@mscdex.net>
adds posix test cases for paths similar to those that caused #5447
PR-URL: https://github.com/nodejs/node/pull/5456
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Roman Reiss <me@silverwind.io>
win32 normalize() will output a trailing '\' for some UNC paths. trim
them before processing
Change by @mscdex
Add basic UNC path tests to win32 relative()
PR-URL: https://github.com/nodejs/node/pull/5456
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Roman Reiss <me@silverwind.io>
This adds a paragraph in the Module Caching Caveats section about the
behavior of require when Node is running on top of a file system (e.g.
HFS) or operating system (e.g. Windows) that will not consider the case
of file paths to find files.
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Roman Reiss <me@silverwind.io>
The description of httpVersionMajor & httpVersionMinor should
have same context like httpVersion.
PR-URL: https://github.com/nodejs/node/pull/5296
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
This changes the doc generator to automatically link references such as
`open(2)` to a man page on man7.org or freebsd.org
PR-URL: https://github.com/nodejs/node/pull/5073
Reviewed-By: Ben Noorhduis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
`Cluster.setupMaster(options)` Options object was missing an `args`
property on the example.
PR-URL: https://github.com/nodejs/node/pull/5305
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Corrected name of "msg" argument from "buf" to "msg".
PR-URL: https://github.com/nodejs/node/pull/5449
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
ENGINE_METHOD_PKEY_METH and ENGINE_METHOD_PKEY_ASN1_METH are misspelled
in the documentation, both should be ..._METHS.
PR-URL: https://github.com/nodejs/node/pull/5463
Reviewed-By: Fedor Indutny <fedor@indutny.com>
constants.ENGINE_METHOD_RSA was documented, but not implemented.
PR-URL: https://github.com/nodejs/node/pull/5463
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Describes the How and Why of the timers implementation, as well as
adding comments in spots that should allow for an easier understanding
about what is going on.
The timers implementation is very efficient, at a cost.
That cost is readable understandability, and this aims to improve that.
PR-URL: https://github.com/nodejs/node/pull/4007
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Julien Gilli <jgilli@nodejs.org>
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Consolidates the implementation of regular and internal (_unrefActive)
timers.
Also includes a couple optimizations:
- Isolates the try/catch from listOnTimeout() in a new tryOnTimeout().
- Uses a TimersList constructor as the base for linkedlists.
Additionally includes other cleanup and clarification, such as a rename
of "Timer" to "TimerWrap".
PR-URL: https://github.com/nodejs/node/pull/4007
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Julien Gilli <jgilli@nodejs.org>
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>