This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable Changes
Semver Minor:
* openssl:
- Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-2178, and CVE-2016-6306.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8714
- Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
a crash when using CRLs, CVE-2016-7052.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8786
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted
into Node.js at runtime by masquerading as one of the dynamic
engine modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/73
* http: CVE-2016-5325 - Properly validate for allowable characters in
the `reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses, users
should already be adopting try/catch here. Originally reported
independently by Evan Lucas and Romain Gaucher.
(Evan Lucas) https://github.com/nodejs/node-private/pull/60
Semver Patch:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated.
(Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/64
* src: Fix regression where passing an empty password and/or salt to
crypto.pbkdf2() would cause a fatal error
(Rich Trott) https://github.com/nodejs/node/pull/8572
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in the
wildcard string. Originally reported by Alexander Minozhenko and
James Bunton (Atlassian).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/75
* v8: Fix regression where a regex on a frozen object was broken
(Myles Borins) https://github.com/nodejs/node/pull/8673
This makes sure that no uninitialized bytes are leaked when the specified
`totalLength` input value is greater than the actual total length of the
specified buffers array, e.g. in Buffer.concat([Buffer.alloc(0)], 100).
PR-URL: https://github.com/nodejs/node-private/pull/64
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Compile out hardware engines. Most are stubs that dynamically load
the real driver but that poses a security liability when an attacker
is able to create a malicious DLL in one of the default search paths.
PR-URL: https://github.com/nodejs/node-private/pull/73
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Previously, the reason argument passed to ServerResponse#writeHead was
not being properly validated. One could pass CRLFs which could lead to
http response splitting. This commit changes the behavior to throw an
error in the event any invalid characters are included in the reason.
CVE-2016-5325
PR-URL: https://github.com/nodejs/node-private/pull/60
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Original commit message:
Revert of Put RegExp js code in strict mode (patchset #2 id:20001
of https://codereview.chromium.org/1776883005/ )
Reason for revert:
Found to break SAP Web IDE, and these semantics are not shipped
in any other browser.
Revert to legacy semantics while assessing web compatibility.
BUG=chromium:624318
Original issue's description:
> Put RegExp js code in strict mode
>
> src/js/regexp.js was one of the few files that was left in sloppy
> mode. The ES2017 draft specification requires that writes to
> lastIndex throw when the property is non-writable, and test262
> tests enforce this behavior. This patch puts that file in strict
> mode.
>
> BUG=v8:4504
> R=yangguo@chromium.org
> LOG=Y
>
> Committed: https://crrev.com/80b1b2a45bbd9bf3d08e4e6516acfaaa8f438213
> Cr-Commit-Position: refs/heads/master@{#34801}
TBR=yangguo@chromium.org,adamk@chromium.org
Review-Url: https://codereview.chromium.org/2112713003
Cr-Commit-Position: refs/heads/master@{#37449}
PR-URL: https://github.com/nodejs/node/pull/8673
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Change `Malloc()/Calloc()` so that size zero does not return a null
pointer, consistent with prior behavior.
Fixes: https://github.com/nodejs/node/issues/8571
PR-URL: https://github.com/nodejs/node/pull/8572
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@keybase.io>
Reviewed-By: Yorkie Liu <yorkiefixer@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
Fixes: https://github.com/nodejs/io.js/issues/1461
PR-URL: https://github.com/nodejs/io.js/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
PR-URL: https://github.com/nodejs/node/pull/8786
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
This replaces all sources of openssl-1.0.2j.tar.gz into
deps/openssl/openssl
PR-URL: https://github.com/nodejs/node/pull/8786
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
openssl command does not allow to both "-ssl3" and "-no_tls1".
A protocol connecting to the server is only specified.
PR-URL: https://github.com/nodejs/node/pull/8714
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Regenerate asm files with Makefile and CC=gcc and ASM=gcc where
gcc-5.4.0. Also asm files in asm_obsolete dir to support old compiler
and assembler are regenerated without CC and ASM envs.
PR-URL: https://github.com/nodejs/node/pull/8714
Reviewed-By: Fedor Indutny <fedor@indutny.com>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
Fixes: https://github.com/nodejs/io.js/issues/1461
PR-URL: https://github.com/nodejs/io.js/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
PR-URL: https://github.com/nodejs/node/pull/8714
Reviewed-By: Fedor Indutny <fedor@indutny.com>
This replaces all sources of openssl-1.0.2i.tar.gz into
deps/openssl/openssl
PR-URL: https://github.com/nodejs/node/pull/8714
Reviewed-By: Fedor Indutny <fedor@indutny.com>
PR-URL: https://github.com/nodejs/node/pull/8475
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
`/bin/sh -c` trick wasn't working for several reasons:
* `/bin/sh -c "..."` expects the first argument after `"..."` to be a
`$0`, not a `$1`. Previously `-n` wasn't passed to `nm` because of
this, and many symbols were ordered improperly
* `c++filt` was applied not only to the names of the functions but to
their `nm` prefixes like `t` and `a` (`t xxx` turns into
`unsigned char xxx`).
Instead of applying `c++filt` wide and using `sh -c`, execute `nm` as
requested by `deps/v8/tools/tickprocessor.js` and apply `c++filt` to all
matching entries manually.
Included test demonstrates where previous approach failed: all builtins
were merged into `v8::internal::Builtins::~Builtins`, because they were
prefixed by `t` in `nm` output.
PR-URL: https://github.com/nodejs/node/pull/8480
Reviewed-By: Matthew Loring <mattloring@google.com>
* favor ’===’ over in ’==’
* favor ’assert.strictEqual’ over ’assert.equal’
* favor ’const’ over ’var’
PR-URL: https://github.com/nodejs/node/pull/8471
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Clarify a few items in the onboarding doc about landing a PR. One
addition is to include the optional `Refs:` metadata.
PR-URL: https://github.com/nodejs/node/pull/8479
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
ESLint 3.5.0 introduces a `no-restricted-properties` rule. Replace our
custom `no-deepEqual` rule with this rule.
PR-URL: https://github.com/nodejs/node/pull/8478
Reviewed-By: James M Snell <jasnell@gmail.com>
Node todo process example with the follow test-net-binary.js changes:
var --> const where applicable
==, assert.equal--> ===, assert.strictEqual for all cases
PR-URL: https://github.com/nodejs/node/pull/8476
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Line 21 used '==' for a Number comparison, changed to '===''.
Lines 36 and 46 used 'assert.equal', changed to 'assert.strictEqual'.
Lines 2, 3 and 4 require statements used var, changed to const.
PR-URL: https://github.com/nodejs/node/pull/8472
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
We had marked it as flaky but in some failures it hangs
and does not seem to timeout, and or is reported as
an error.
Also add prefix to status file as it was missing.
Also fix name of status file in testcfg.py. It
was pointing to message.status instead of
pseudo-tty.status.
PR-URL: https://github.com/nodejs/node/pull/8470
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
* Replace var's with const and let
* Replace boolean flags with common.mustCall()
* Using stricter comparisons
* Fixed typo in comment
PR-URL: https://github.com/nodejs/node/pull/8458
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/8488
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Fixes an error where a loop, used to traverse an array of length `n`,
ran `n + 1` times instead of `n`.
PR-URL: https://github.com/nodejs/node/pull/8420
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
This commit fixes detection of ArrayBuffers from different V8 contexts.
This is especially a problem for environments like nw.js where the
node and browser V8 contexts are not shared.
PR-URL: https://github.com/nodejs/node/pull/8453
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Conflicts:
test/parallel/test-buffer-alloc.js
PR-URL: https://github.com/nodejs/node/pull/8281
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
The `crypto.timingSafeEqual` test still seems to be a bit flaky. This
makes a few changes to the test:
* Separates the basic usage and the benchmarking into different tests
* Moves the timing-sensitive benchmark function into a separate module,
and reparses the module on every iteration of the loop to avoid shared
state between timing measurements.
PR-URL: https://github.com/nodejs/node/pull/8456
Reviewed-By: James M Snell <jasnell@gmail.com>
Add test for `Protocol` object in `_debugger` module. This test covers
some edge cases that fill some coverage gaps in our testing (such as the
"Unknown state" error).
PR-URL: https://github.com/nodejs/node/pull/8454
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Define the context property r.context.m, not r.m.
PR-URL: https://github.com/nodejs/node/pull/8469
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Add very simple benchmarks for `fs.stat` and `fs.statSync` as
well as `fs.lstat` and `fs.lstatSync` based on the `readdir`
benchmarks.
PR-URL: https://github.com/nodejs/node/pull/8338
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Fix a off-by-one error that made the benchmarks for asynchronous
functions run `n - 1` times instead of `n` times.
PR-URL: https://github.com/nodejs/node/pull/8338
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Note that trying to listen for some signals using `process.on()`
is unsafe in the `process` docs.
PR-URL: https://github.com/nodejs/node/pull/8410
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit attempts to address one of the items in
https://github.com/nodejs/node/issues/4641 which is related to
src/pipe_wrap.cc and src/tcp_wrap.cc.
Currently both pipe_wrap.cc and tcp_wrap.cc contain an AfterConnect
function that are almost identical. This commit extracts this function
into ConnectionWrap so that that both can share it.
PR-URL: https://github.com/nodejs/node/pull/8448
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
They seem to have been introduced as "convenience methods" in commit
75adde0 ("src: remove `node_isolate` from source") for reasons I can
only guess at but they can be removed without much hassle.
PR-URL: https://github.com/nodejs/node/pull/8427
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Conflicts:
src/env.h