This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable Changes
Semver Minor:
* openssl:
- Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8714
- Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
a crash when using CRLs, CVE-2016-7052.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8786
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted into
Node.js at runtime by masquerading as one of the dynamic engine
modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/70
* http: CVE-2016-5325 - Properly validate for allowable characters in
the `reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses, users
should already be adopting try/catch here. Originally reported
independently by Evan Lucas and Romain Gaucher.
(Evan Lucas) https://github.com/nodejs/node-private/pull/46
Semver Patch:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated.
(Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/65
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko and
James Bunton (Atlassian).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/63
PR-URL: https://github.com/nodejs/node-private/pull/74
This LTS release comes with 89 commits. This includes 46 commits that
are docs related, 11 commits that are test related, 8 commits that are
build related, and 4 commits that are benchmark related.
Notable Changes:
- debugger:
- All properties of an array (aside from length) can now be printed
in the repl (cjihrig)
https://github.com/nodejs/node/pull/6448
- npm:
- Upgrade npm to 2.15.8 (Rebecca Turner)
https://github.com/nodejs/node/pull/7412
- stream:
- Fix for a bug that became more prevalent with the stream changes
that landed in v4.4.5. (Anna Henningsen)
https://github.com/nodejs/node/pull/7160
- V8:
- Fix for a bug in crankshaft that was causing crashes on arm64
(Myles Borins)
https://github.com/nodejs/node/pull/7442
- Add missing classes to postmortem info such as JSMap and JSSet
(evan.lucas)
https://github.com/nodejs/node/pull/3792
The current layout is breaking the release post tool.
This commit also removed erroneous entires in the main CHANGELOG for
v4.4.6 and v5.12.0.
PR-URL: https://github.com/nodejs/node/pull/7394
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Remove extra newlines that were causing rendering problems.
PR-URL: https://github.com/nodejs/node/pull/6958
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Notable Changes
* https:
- Under certain conditions ssl sockets may have been causing a memory
leak when keepalive is enabled. This is no longer the case.
- (Alexander Penev) https://github.com/nodejs/node/pull/5713
* lib:
- The way that we were internally passing arguments was causing a
potential leak. By copying the arguments into an array we can avoid this
- (Nathan Woltman) https://github.com/nodejs/node/pull/4361
* npm:
- Upgrade to v2.15.1. Fixes a security flaw in the use of authentication
tokens in HTTP requests that would allow an attacker to set up a server
that could collect tokens from users of the command-line interface.
Authentication tokens have previously been sent with every request made
by the CLI for logged-in users, regardless of the destination of the
request. This update fixes this by only including those tokens for
requests made against the registry or registries used for the current
install. (Forrest L Norvell)
* repl:
- Previously if you were using the repl in strict mode the column number
would be wrong in a stack trace. This is no longer an issue.
- (Prince J Wesley) https://github.com/nodejs/node/pull/5416
PR-URL: https://github.com/nodejs/node/pull/5961
In December we announced that we would be doing a minor release in order to
get a number of voted on SEMVER-MINOR changes into LTS. Our ability to release this
was delayed due to the unforeseen security release v4.3. We are quickly bumping to
v4.4 in order to bring you the features that we had committed to releasing.
This release also includes over 70 fixes to our docs and over 50 fixes to tests.
The SEMVER-MINOR changes include:
* deps:
- An update to v8 that introduces a new flag --perf_basic_prof_only_functions (Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/3609
* http:
- A new feature in http(s) agent that catches errors on *keep alived* connections (José F. Romaniello) https://github.com/nodejs/node/pull/4482
* src:
- Better support for Big-Endian systems (Bryon Leung) https://github.com/nodejs/node/pull/3410
* tls:
- A new feature that allows you to pass common SSL options to `tls.createSecurePair` (Коренберг Марк) https://github.com/nodejs/node/pull/2441
* tools
- a new flag `--prof-process` which will execute the tick processor on the provided isolate files (Matt Loring) https://github.com/nodejs/node/pull/4021
Notable semver patch changes include:
* buld:
- Support python path that includes spaces. This should be of particular interest to our Windows users who may have python living in `c:/Program Files` (Felix Becker) https://github.com/nodejs/node/pull/4841
* https:
- A potential fix for https://github.com/nodejs/node/issues/3692 HTTP/HTTPS client requests throwing EPROTO (Fedor Indutny) https://github.com/nodejs/node/pull/4982
* installer:
- More readable profiling information from isolate tick logs (Matt Loring) https://github.com/nodejs/node/pull/3032
* *npm:
- upgrade to npm 2.14.20 (Kat Marchán) https://github.com/nodejs/node/pull/5510
* process:
- Add support for symbols in event emitters. Symbols didn't exist when it was written ¯\_(ツ)_/¯ (cjihrig) https://github.com/nodejs/node/pull/4798
* querystring:
- querystring.parse() is now 13-22% faster! (Brian White) https://github.com/nodejs/node/pull/4675
* streams:
- performance improvements for moving small buffers that shows a 5% throughput gain. IoT projects have been seen to be as much as 10% faster with this change! (Matteo Collina) https://github.com/nodejs/node/pull/4354
* tools:
- eslint has been updated to version 2.1.0 (Rich Trott) https://github.com/nodejs/node/pull/5214
PR-URL: https://github.com/nodejs/node/pull/5301
The wrong commit SHAs were used
PR-URL: https://github.com/nodejs/node/pull/5165
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Rod Vagg <r@va.gg>
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Note that this release includes a non-backward compatible change to
address a security issue. This change increases the version of the LTS
v4.x line to v4.3.0. There will be *no further updates* to v4.2.x.
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.5.0 to 2.5.1
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
PR-URL: https://github.com/nodejs/node-private/pull/20
Notable changes:
* Fix regression in debugger and profiler functionality
PR-URL: https://github.com/nodejs/node/pull/4788
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
* Include reference to CVE-2015-8027
* Fix "socket may no longer have a socket" reference
* Expand on non-existent parser causing the error
* Soften language for CVE-2015-3193 as impact may not be as great as
expected
* Clarify that CVE-2015-3194 affects TLS servers using _client
certificate authentication_
* Include reference to CVE-2015-6764
* Remove links to nodejs/node-private in commits list
PR-URL: https://github.com/nodejs/node/pull/4155
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
* A known issue was resolved but not removed from the list
* The wrong date was documented in the changelog for v4.2.2
PR-URL: https://github.com/nodejs/node/pull/3650
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Security Update
Notable items:
* http: Fix a bug where an HTTP socket may no longer have a socket
but a pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.2e, containing fixes for:
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
an attack is considered feasible against a Node.js TLS server using
DHE key exchange. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
a potential denial-of-service vector for Node.js TLS servers; TLS
clients are also impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
(Shigeki Ohtsu) #4134
* v8: Backport fixes for a bug in `JSON.stringify()` that can result
in out-of-bounds reads for arrays. (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/12
Update the label for v4.2.0 to (LTS) from (Stable)
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/3343
Notable changes
* http:
- Fix out-of-order 'finish' event bug in pipelining that can abort
execution, fixes DoS vulnerability CVE-2015-7384
(Fedor Indutny) #3128
- Account for pending response data instead of just the data on the
current request to decide whether pause the socket or not
(Fedor Indutny) #3128
* libuv: Upgraded from v1.7.4 to v1.7.5, see release notes for details
(Saúl Ibarra Corretgé) #3010
- A better rwlock implementation for all Windows versions
- Improved AIX support
* v8:
- Upgraded from v4.5.103.33 to v4.5.103.35 (Ali Ijaz Sheikh) #3117
- Backported f782159 from v8's upstream to help speed up Promise
introspection (Ben Noordhuis) #3130
- Backported c281c15 from v8's upstream to add JSTypedArray length
in post-mortem metadata (Julien Gilli) #3031
PR-URL: https://github.com/nodejs/node/pull/3128
Notable changes
* buffer: Fixed a bug introduced in v4.1.0 where allocating a new
zero-length buffer can result in the next allocation of a TypedArray
in JavaScript not being zero-filled. In certain circumstances this
could result in data leakage via reuse of memory space in
TypedArrays, breaking the normally safe assumption that TypedArrays
should be always zero-filled. (Trevor Norris) #2931.
* http: Guard against response-splitting of HTTP trailing headers
added via response.addTrailers() by removing new-line ([\r\n])
characters from values. Note that standard header values are already
stripped of new-line characters. The expected security impact is low
because trailing headers are rarely used. (Ben Noordhuis) #2945.
* npm: Upgrade to npm 2.14.4 from 2.14.3, see release notes for full
details (Kat Marchán) #2958
- Upgrades graceful-fs on multiple dependencies to no longer rely on
monkey-patching fs
- Fix npm link for pre-release / RC builds of Node
* v8: Update post-mortem metadata to allow post-mortem debugging tools
to find and inspect:
- JavaScript objects that use dictionary properties
(Julien Gilli) #2959
- ScopeInfo and thus closures (Julien Gilli) #2974
This list of changes is relative to the last io.js v3.x branch
release, v3.3.0. Please see the list of notable changes in the v3.x,
v2.x and v1.x releases for a more complete list of changes from
0.12.x. Note, that some changes in the v3.x series as well as major
breaking changes in this release constitute changes required for full
convergence of the Node.js and io.js projects.
* child_process: ChildProcess.prototype.send() and process.send()
operate asynchronously across all platforms so an optional callback
parameter has been introduced that will be invoked once the message
has been sent, i.e. .send(message[, sendHandle][, callback])
(Ben Noordhuis) #2620.
* node: Rename "io.js" code to "Node.js" (cjihrig) #2367.
* node-gyp: This release bundles an updated version of node-gyp that
works with all versions of Node.js and io.js including nightly and
release candidate builds. From io.js v3 and Node.js v4 onward, it
will only download a headers tarball when building addons rather
than the entire source. (Rod Vagg) #2700.
* npm: Upgrade to version 2.14.2 from 2.13.3, includes a security
update, see https://github.com/npm/npm/releases/tag/v2.14.2 for more
details, (Kat Marchán) #2696.
* timers: Improved timer performance from porting the 0.12
implementation, plus minor fixes (Jeremiah Senkpiel) #2540,
(Julien Gilli) nodejs/node-v0.x-archive#8751nodejs/node-v0.x-archive#8905
* util: The util.is*() functions have been deprecated, beginning with
deprecation warnings in the documentation for this release, users
are encouraged to seek more robust alternatives in the npm registry,
(Sakthipriyan Vairamani) #2447.
* v8: Upgrade to version 4.5.103.30 from 4.4.63.30 (Ali Ijaz Sheikh) #2632.
- Implement new TypedArray prototype methods: copyWithin(), every(),
fill(), filter(), find(), findIndex(), forEach(), indexOf(),
join(), lastIndexOf(), map(), reduce(), reduceRight(), reverse(),
slice(), some(), sort(). See
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray
for further information.
- Implement new TypedArray.from() and TypedArray.of() functions. See
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray
for further information.
- Implement arrow functions. See
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/Arrow_functions
for further information.
- Full ChangeLog available at
https://github.com/v8/v8-git-mirror/blob/4.5.103/ChangeLog
Notable changes:
* build: Add a --link-module option to configure that can be used to
bundle additional JavaScript modules into a built binary
(Bradley Meck) #2497
* docs: Merge outstanding doc updates from joyent/node
(James M Snell) #2378
* http_parser: Significant performance improvement by having
http.Server consume all initial data from its net.Socket and parsing
directly without having to enter JavaScript. Any 'data' listeners on
the net.Socket will result in the data being "unconsumed" into
JavaScript, thereby undoing any performance gains.
(Fedor Indutny) #2355
* libuv: Upgrade to 1.7.3 (from 1.6.1), see
https://github.com/libuv/libuv/blob/v1.x/ChangeLog for details
(Saúl Ibarra Corretgé) #2310
* V8: Upgrade to 4.4.63.30 (from 4.4.63.26) (Michaël Zasso) #2482
cherry-picked from v3.x @ 1a6e52db30
PR-URL: https://github.com/nodejs/node/pull/2653
Reviewed-By: cjihrig - Colin Ihrig <cjihrig@gmail.com>
Notable changes:
* events: Added EventEmitter#listenerCount(event) as a replacement for
EventEmitter.listenerCount(emitter, event), which has now been
marked as deprecated in the docs. (Sakthipriyan Vairamani) #2349
* module: Fixed an error with preloaded modules when the current
working directory doesn't exist. (Bradley Meck) #2353
* node: Startup time is now about 5% faster when not passing V8 flags.
(Evan Lucas) #2483
* repl: Tab-completion now works better with arrays.
(James M Snell) #2409
* string_bytes: Fixed an unaligned write in the handling of UCS2
encoding. (Fedor Indutny) #2480
* tls: Added a new --tls-cipher-list flag that can be used to override
the built-in default cipher list. (James M Snell) #2412
PR-URL: https://github.com/nodejs/node/pull/2512
This commit replaces instances of io.js with Node.js, based on the
recent convergence. There are some remaining instances of io.js,
related to build and the installer.
Fixes: https://github.com/nodejs/node/issues/2361
PR-URL: https://github.com/nodejs/node/pull/2367
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: João Reis <reis@janeasystems.com>
Notable changes:
* buffer:
- Due to changes in V8, it has been necessary to reimplement Buffer
on top of V8's Uint8Array. While every effort has been made to
maintain performance, users are likely to experience a different
performance profile depending on how Buffer is used.
(Trevor Norris) #1825.
- Buffer can now take ArrayBuffers as a constructor argument
(Trevor Norris) #2002.
- When a single buffer is passed to Buffer.concat(), a new, copied
Buffer object will be returned; previous behavior was to return
the original Buffer object (Sakthipriyan Vairamani) #1937.
* build: PPC support has been added to core to allow compiling on
pLinux BE and LE (AIX support coming soon) (Michael Dawson) #2124.
* dgram: If an error occurs within socket.send() and a callback has
been provided, the error is only passed as the first argument to the
callback and not emitted on the socket object; previous behavior was
to do both (Matteo Collina & Chris Dickinson) #1796
* freelist: Deprecate the undocumented freelist core module
(Sakthipriyan Vairamani) #2176.
* http:
- Status codes now all use the official IANA names as per RFC7231,
e.g. http.STATUS_CODES[414] now returns 'URI Too Long' rather than
'Request-URI Too Large' (jomo) #1470.
- Calling .getName() on an HTTP agent no longer returns a trailing
colon, HTTPS agents will no longer return an extra colon near the
middle of the string (Brendan Ashworth) #1617.
* node:
- NODE_MODULE_VERSION has been bumped to 45 to reflect the break in
ABI (Rod Vagg) #2096.
- Introduce a new process.release object that contains a name
property set to 'io.js' and sourceUrl, headersUrl and libUrl
(Windows only) properties containing URLs for the relevant
resources; this is intended to be used by node-gyp
(Rod Vagg) #2154.
- The version of node-gyp bundled with io.js now downloads and uses
a tarball of header files from iojs.org rather than the full
source for compiling native add-ons; it is hoped this is a
temporary floating patch and the change will be upstreamed to
node-gyp soon (Rod Vagg) #2066.
* repl: Persistent history is now enabled by default. The history file
is located at ~/.node_repl_history, which can be overridden by the
new environment variable NODE_REPL_HISTORY. This deprecates the
previous NODE_REPL_HISTORY_FILE variable. Additionally, the format
of the file has been changed to plain text to better handle file
corruption. (Jeremiah Senkpiel) #2224.
* smalloc: The smalloc module has been removed as it is no longer
possible to provide the API due to changes in V8
(Ben Noordhuis) #2022.
* tls: Add server.getTicketKeys() and server.setTicketKeys() methods
for TLS session key rotation (Fedor Indutny) #2227.
* v8: Upgraded to 4.4.63.26
- ES6: Enabled computed property names
- ES6: Array can now be subclassed in strict mode
- ES6: Implement rest parameters in staging, use the
--harmony-rest-parameters command line flag
- ES6: Implement the spread operator in staging, use the
--harmony-spreadcalls command line flag
- Removed SetIndexedPropertiesToExternalArrayData and related APIs,
forcing a shift to Buffer to be reimplemented based on Uint8Array
- Introduction of Maybe and MaybeLocal C++ API for objects which may
or may not have a value.
- Added support for PPC
PR-URL: https://github.com/nodejs/io.js/pull/2299
Notable changes
* deps: Fixed an out-of-band write in utf8 decoder.
This is an important security update as it can be used to cause a
denial of service attack.
Notable changes
build:
- Added support for compiling with Microsoft Visual C++ 2015
- Started building and distributing headers-only tarballs along with binaries
PR-URL: https://github.com/nodejs/io.js/pull/1996
Notable changes
* module: The number of syscalls made during a require() have been
significantly reduced again (see #1801 from v2.2.0 for previous
work), which should lead to a performance improvement
(Pierre Inglebert) #1920.
* npm:
- Upgrade to v2.11.2 (Rebecca Turner) #1956.
- Upgrade to v2.11.3 (Forrest L Norvell) #2018.
* zlib: A bug was discovered where the process would abort if the
final part of a zlib decompression results in a buffer that would
exceed the maximum length of 0x3fffffff bytes (~1GiB). This was
likely to only occur during buffered decompression (rather than
streaming). This is now fixed and will instead result in a thrown
RangeError (Michaël Zasso) #1811.
Notable Changes:
* libuv: Upgraded to 1.6.0 and 1.6.1, see full ChangeLog for details.
(Saúl Ibarra Corretgé) #1905#1889. Highlights include:
- Fix TTY becoming blocked on OS X
- Fix UDP send callbacks to not to be synchronous
- Add uv_os_homedir() (exposed as os.homedir(), see below)
* npm: See full release notes for details. (Kat Marchán) #1899. Highlight:
- Use GIT_SSH_COMMAND (available as of Git 2.3)
* openssl:
- Upgrade to 1.0.2b and 1.0.2c, introduces DHE man-in-the-middle protection
(Logjam) and fixes malformed ECParameters causing infinite loop
(CVE-2015-1788). See the security advisory for full details.
(Shigeki Ohtsu) #1950#1958
- Support FIPS mode of OpenSSL, see README for instructions.
(Fedor Indutny) #1890
* os: Add os.homedir() method. (Colin Ihrig) #1791
* smalloc: Deprecate whole module. (Vladimir Kurchatkin) #1822
* Add new collaborators:
- Alex Kocharin (@rlidwka)
- Christopher Monsanto (@monsanto)
- Ali Ijaz Sheikh (@ofrobots)
- Oleg Elifantiev (@Olegas)
- Domenic Denicola (@domenic)
- Rich Trott (@Trott)