This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.6.0 to 2.6.1
* npm: upgrade npm from 3.3.12 to 3.6.0
(Rebecca Turner) https://github.com/nodejs/node/pull/4958
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
The `--security-revert={cvenum}` command line flag is a special purpose
flag to be used only in stable or LTS branches when a breaking change
is required to address a security vulnerability. Whenever a vulnerability
requires a breaking change, and a CVE has been assigned, the flag can
be used to force Node to revert to the insecure behavior that was
implemented before the fix was applied.
Note that this flag is intended to be used only as a last resort in the
case a security update breaks existing code. When used, a security
warning will be printed to stderr when Node launches.
The `--security-revert={cvenum}` flag takes a single CVE number as an
argument. Multiple instances of the `--security-revert={cvenum}` flag
can be used on the command line to revert multiple changes.
Whenever a new `--security-revert={cvenum}` is enabled, it should be
documented in the release notes and in the API docs.
Master and the first release of a new major (e.g. v6.0) should not have
any reverts available.
Every time a new `--security-revert={cvenum}` is added, there should be
a semver-minor bump in the stable and LTS branch.
PR-URL: https://github.com/nodejs/node-private/pull/26
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all
items in queue too, not just the queue itself.
PR-URL: https://github.com/nodejs/node/pull/5109
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
According to documentation all certificates specified in `pfx` option
should be treated as a CA certificates too. While it doesn't seem to be
logically correct to me, we can't afford to break API stability at this
point.
Fix: #5100
PR-URL: https://github.com/nodejs/node/pull/5109
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Prefer using Object.setPrototypeOf() instead.
PR-URL: https://github.com/nodejs/node/pull/5069
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The SSL_CTX_clear_extra_chain_certs function clears the extra
certificates associated with an SSL_CTX without reaching into the
SSL_CTX structure itself (which will become impossible in OpenSSL
1.1.0). The underlying implementation in OpenSSL[1] is the same what the
code was doing and OpenSSL has provided this function since 0.9.8 so
this change should be fully compatible.
[1] https://github.com/nodejs/node/blob/master/deps/openssl/openssl/ssl/s3_lib.c#L3899
PR-URL: https://github.com/nodejs/node/pull/4919
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
node_crypto.cc attempts to handle the case where OCSP stapling APIs
aren't provided by using NODE__HAVE_TLSEXT_STATUS_CB. But the build
would actually fail in this case because of a couple of places that were
missing #ifdefs.
With this change the build works although, as expected,
test-tls-ocsp-callback.js will fail.
PR-URL: https://github.com/nodejs/node/pull/4914
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
SSL_CIPHER objects are conceptually const in any case and this allows
STACK_OF(SSL_CIPHER) to return a const pointer, as is done in BoringSSL
and, perhaps, OpenSSL in the future.
PR-URL: https://github.com/nodejs/node/pull/4913
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Do not swallow error details when reporting UV_EPROTO asynchronously,
and when creating artificial errors.
Fix: #3692
PR-URL: https://github.com/nodejs/node/pull/4885
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Event emitters support symbols as event names. The process object
assumes that the event name is a string, and examines the first
three characters to check for signals. This causes an exception
if the event name is a symbol. This commit ensures that the
event name is a string before trying to slice() it.
PR-URL: https://github.com/nodejs/node/pull/4798
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Wyatt Preul <wpreul@gmail.com>
Fix a regression introduced in commit 89f056b ("node: improve
performance of hrtime()") where the nanosecond field sometimes
had a negative value when calculating the difference between two
timestamps.
Fixes: https://github.com/nodejs/node/issues/4751
PR-URL: https://github.com/nodejs/node/pull/4757
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
AfterGetAddrInfo() can potentially return an empty array of
results without setting an error value. The JavaScript layer
expects the array to have at least one value if an error is
not returned. This commit sets a UV_EAI_NODATA error when an
empty result array is detected.
Fixes: https://github.com/nodejs/node/issues/4545
PR-URL: https://github.com/nodejs/node/pull/4715
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Saúl Ibarra Corretgé <saghul@gmail.com>
Provide means to inspect information about the separate heap spaces
via a callable API. This is helpful to analyze memory issues.
Fixes: https://github.com/nodejs/node/issues/2079
PR-URL: https://github.com/nodejs/node/pull/4463
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
It's possible there is already an existing error on OpenSSL's error
stack that is unrelated to the EVP_DigestInit_ex() operation we just
executed.
Fixes: https://github.com/nodejs/node/issues/4221
PR-URL: https://github.com/nodejs/node/pull/4731
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Clean up OpenSSL error stack in `ECDH::Initialize`, some curves have
faulty implementations that are leaving dangling errors after
initializing the curve.
Fix: #4686
PR-URL: https://github.com/nodejs/node/pull/4689
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Remove redeclarations of variables in node.js. This includes removing
one apparently unnecessary `NativeModule.require('module')`.
PR-URL: https://github.com/nodejs/node/pull/4605
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: James M Snell <jasnell@gmail.com>
If uv_interface_addresses() returns UV_ENOSYS then interfaces and count
are uninitialised. This can cause a segmentation fault inside
GetInterfaceAddresses when it tries to use the invalid interfaces[].
Fix the issue by returning from GetInterfaceAddresses on the UV_ENOSYS
error.
This issue was observed when using uCLibc-ng version 1.0.9 because
uv_interface_addresses() in deps/uv/src/unix/linux-core.c incorrectly
undefines HAVE_IFADDRS_H.
Signed-off-by: Martin Bark <martin@barkynet.com>
PR-URL: https://github.com/nodejs/node/pull/4272
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Saúl Ibarra Corretgé <saghul@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Move argument validation out of C++ and into JS. Improves performance
by about 15-20%.
PR-URL: https://github.com/nodejs/node/pull/4484
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.
Fix: #4127
PR-URL: https://github.com/nodejs/node/pull/4165
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
process.hrtime() was performing too many operations in C++ that could be
done faster in JS. Move those operations over by creating a length 4
Uint32Array and perform bitwise operations on the seconds so that it was
unnecessary for the native API to do any object creation or set any
fields.
This has improved performance from ~350 ns/op to ~65 ns/op. Light
benchmark included to demonstrate the performance change.
PR-URL: https://github.com/nodejs/node/pull/3780
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Improve performance of process._getActiveHandles by sending handles in
batches to JS to be set on the passed Array. Add test to check proper
active handles are returned.
Alter implementation of GetActiveRequests to match GetActiveHandles'
implementation.
PR-URL: https://github.com/nodejs/node/pull/3780
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Improve performance by pushing directory entries to returned array in
batches of 8 using pushValueToArray() in JS. Add benchmarks to
demonstrate this improvement.
PR-URL: https://github.com/nodejs/node/pull/3780
Reviewed-By: Fedor Indutny <fedor@indutny.com>
For performance add headers to the headers Array by pushing them on from
JS. Benchmark added to demonstrate this case.
PR-URL: https://github.com/nodejs/node/pull/3780
Reviewed-By: Fedor Indutny <fedor@indutny.com>
The initial implementation of setPropByIndex() set the value of an Array
by index during development. Though the final form of the function
simply pushes passed values to an array as passed by arguments. Thus the
functions have been renamed to pushValueToArray() and
push_values_to_array_function() respectively.
Also add define for maximum number of arguments should be used before
hitting the limit of performance increase.
Fixes: 494227b "node: improve GetActiveRequests performance"
PR-URL: https://github.com/nodejs/node/pull/3780
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Notable changes:
* buffer:
- Buffer.prototype.includes() has been added to keep parity
with TypedArrays. (Alexander Martin) #3567.
* domains:
- Fix handling of uncaught exceptions.
(Julien Gilli) #3654.
* https:
- Added support for disabling session caching.
(Fedor Indutny) #4252.
* repl:
- Allow third party modules to be imported using
require(). This corrects a regression from 5.2.0.
(Ben Noordhuis) #4215.
* deps:
- Upgrade libuv to 1.8.0.
(Saúl Ibarra Corretgé) #4276.
PR-URL: https://github.com/nodejs/node/pull/4281
Not supported by apple-gcc and I'm not convinced it's worth adding more
preprocessor hacks when it should be easy as pie for the compiler to
to optimize the byteswap. If it doesn't, fix the compiler.
Fixes: https://github.com/nodejs/node/issues/4284
PR-URL: https://github.com/nodejs/node/pull/4290
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Remove the unused and broken BITS_PER_LONG macro. Broken because x64
is the only 64 bits architecture where it produces the right result.
PR-URL: https://github.com/nodejs/node/pull/4290
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
In dfee4e3712, the module wrapper
and line offset used when wrapping module code was changed to
better report errors on the first line of modules. However, that
commit did not update the runInThisContext() call used to
execute the core modules, so their error line numbers have been
off by one. This commit provides the correct lineOffset for core
modules.
Refs: https://github.com/nodejs/node/pull/2867
PR-URL: https://github.com/nodejs/node/pull/4254
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Minwoo Jung <jmwsoft@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
`WrapperInfo` casts pointer in JS object's internal field to
`AsyncWrap`. This approach fails miserably for `TLSWrap` because it was
inhereted from the `StreamBase` first, creating different kind of
`vtable` for the whole class.
Reorder parent classes to put `AsyncWrap` first.
Fix: https://github.com/nodejs/node/issues/4250
PR-URL: https://github.com/nodejs/node/pull/4268
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/4264
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Fix node exiting due to an exception being thrown rather than emitting
an `'uncaughtException'` event on the process object when:
1. no error handler is set on the domain within which an error is thrown
2. an `'uncaughtException'` event listener is set on the process
Also fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and `--abort-on-uncaught-exception` is used.
Finally, change the behavior of --abort-on-uncaught-exception so that,
if the domain within which the error is thrown has no error handler, but
a domain further up the domains stack has one, the process will not
abort.
Fixes#3607 and #3653.
PR: #3654
PR-URL: https://github.com/nodejs/node/pull/3654
Reviewed-By: Chris Dickinson <chris@neversaw.us>
James M Snell
Fedor Indutny
Jackson Tian
Myles Borins
Adam Langley
Chris911
cjihrig
Evan Lucas
Ben Noordhuis
Ben Ripkens
Rich Trott
Jeremiah Senkpiel
Martin Bark
Trevor Norris
Yazhong Liu
Martin von Gagern
Julien Gilli
Rod Vagg