In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
(cherry picked from commit 9f0f7c38e6df975dd39735d0e9ef968076369c74)
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/joyent/node/pull/25368
Notable changes:
* npm: Upgrade to v2.15.1. IMPORTANT: This is a major upgrade to npm
v2 LTS from the previously deprecated npm v1. (Forrest L Norvell)
* npm: Upgrade to v2.15.1. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an attacker
to set up a server that could collect tokens from users of the
command-line interface. Authentication tokens have previously been
sent with every request made by the CLI for logged-in users,
regardless of the destination of the request. This update fixes this
by only including those tokens for requests made against the
registry or registries used for the current install. IMPORTANT:
This is a major upgrade to npm v2 LTS from the previously deprecated
npm v1. (Forrest L Norvell) https://github.com/nodejs/node/pull/5967
* openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they
are obsolete and not considered safe. This release of Node.js turns
on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers
included in these lists which can be used in SSLv3 and higher. Full
details can be found in our LTS discussion on the matter
(https://github.com/nodejs/LTS/issues/85).
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712
PR-URL: https://github.com/nodejs/node/pull/5968
DES-CBC-SHA is LOW cipher and disabled by default and it is used in
tests of hornorcipherorder. They are changed as to
- use RC4-SHA instead of DES-CBC-SHA.
- add AES128-SHA to entries to keep the number of ciphers.
- remove tests for non-default cipher because only SEED and IDEA are
available in !RC4:!HIGH:ALL.
Fixes: https://github.com/nodejs/LTS/issues/85
PR-URL: https://github.com/nodejs/node/pull/5712
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Invoke MSBuild specifying the target platform as generated by Gyp.
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/5627
Notable changes:
* http_parser: Update to http-parser 1.2 to fix an unintentionally
strict limitation of allowable header characters.
(James M Snell) https://github.com/nodejs/node/pull/5242
* domains:
- Prevent an exit due to an exception being thrown rather than
emitting an 'uncaughtException' event on the `process` object when
no error handler is set on the domain within which an error is
thrown and an 'uncaughtException' event listener is set on
`process`. (Julien Gilli) https://github.com/nodejs/node/pull/3887
- Fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and `--abort-on-uncaught-exception` is used.
(Julien Gilli) https://github.com/nodejs/node/pull/3887
* openssl: Upgrade from 1.0.1r to 1.0.1s
(Ben Noordhuis) https://github.com/nodejs/node/pull/5508
- Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is
likely to be very difficult to use this defect for a practical
attack and is therefore considered low severity for Node.js users.
More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code
paths that use these functions so practical attacks via Node.js
using this defect are _unlikely_ to be possible. More info is
available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible.
This defect enables attackers to execute side-channel attacks
leading to the potential recovery of entire RSA private keys. It
only affects the Intel Sandy Bridge (and possibly older)
microarchitecture when using hyper-threading. Newer
microarchitectures, including Haswell, are unaffected. More info
is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702
- Remove SSLv2 support, the `--enable-ssl2` command line argument
will now produce an error. The DROWN Attack
(https://drownattack.com/) creates a vulnerability where SSLv2 is
enabled by a server, even if a client connection is not using
SSLv2. The SSLv2 protocol is widely considered unacceptably broken
and should not be supported. More information is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0800
PR-URL: https://github.com/nodejs/node/pull/5404
Set the Connection header to 'close' to work around a v0.10 quirk.
Prevents the test from timing out due to a still open TCP connection.
Test introduced in 1e45a61 ("deps: update http-parser to version 1.2").
PR-URL: https://github.com/nodejs/node/pull/5511
Reviewed-By: James M Snell <jasnell@gmail.com>
Fixes http-parser regression with IS_HEADER_CHAR check
Add test case for obstext characters (> 0x80) in header
PR-URL: https://github.com/nodejs/node/pull/5242
Reviewed-By: Rod Vagg <rod@vagg.org>
Fix node exiting due to an exception being thrown rather than emitting
an 'uncaughtException' event on the process object when:
1. no error handler is set on the domain within which an error is thrown
2. an 'uncaughtException' event listener is set on the process
Also fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and --abort-on-uncaught-exception is used.
Fixes#3607 and #3653.
PR: #3887
PR-URL: https://github.com/nodejs/node/pull/3887
Reviewed-By: James M Snell <jasnell@gmail.com>
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes:
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 1.0 to 1.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
* build:
- xz compressed tar files will be made available from nodejs.org for
v0.10 builds from v0.10.42 onward
- A headers.tar.gz file will be made available from nodejs.org for
v0.10 builds from v0.10.42 onward, a future change to node-gyp
will be required to make use of these
PR-URL: https://github.com/nodejs/node-private/pull/25
PR-URL: https://github.com/nodejs/node/pull/4894
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: James M Snell <jasnell@gmail.com>
Backport the tools/install.py changes from 628a3ab that were missed
when 6fb0b92 backported the corresponding changes to the Makefile to
build the headers only archive.
PR-URL: https://github.com/nodejs/node/pull/4149
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Rod Vagg <rod@vagg.org>
This replaces all sources of openssl-1.0.1r.tar.gz into
deps/openssl/openssl
PR-URL: https://github.com/nodejs/node/pull/4967
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
deps: copy all openssl header files to include dir
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
PR-URL: https://github.com/nodejs/node/pull/4967
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
deps: separate sha256/sha512-x86_64.pl for openssl
sha256-x86_64.pl does not exist in the origin openssl distribution. It
was copied from sha512-x86_64.pl and both sha256/sha512 scripts were
modified so as to generates only one asm file specified as its key
hash length.
PR: #9451
PR-URL: https://github.com/joyent/node/pull/9451
Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
deps: fix openssl assembly error on ia32 win32
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .
PR: #9451
PR-URL: https://github.com/joyent/node/pull/9451
Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
openssl: fix keypress requirement in apps on win32
reapply b910613792
PR: #9451
PR-URL: https://github.com/joyent/node/pull/9451
Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
deps: add -no_rand_screen to openssl s_client
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
(cherry picked from commit 9f0f7c38e6df975dd39735d0e9ef968076369c74)
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/joyent/node/pull/25368
The `--security-revert={cvenum}` command line flag is a special purpose
flag to be used only in stable or LTS branches when a breaking change
is required to address a security vulnerability. Whenever a vulnerability
requires a breaking change, and a CVE has been assigned, the flag can
be used to force Node to revert to the insecure behavior that was
implemented before the fix was applied.
Note that this flag is intended to be used only as a last resort in the
case a security update breaks existing code. When used, a security
warning will be printed to stderr when Node launches.
The `--security-revert={cvenum}` flag takes a single CVE number as an
argument. Multiple instances of the `--security-revert={cvenum}` flag
can be used on the command line to revert multiple changes.
Whenever a new `--security-revert={cvenum}` is enabled, it should be
documented in the release notes and in the API docs.
Master and the first release of a new major (e.g. v6.0) should not have
any reverts available.
Every time a new `--security-revert={cvenum}` is added, there should be
a semver-minor bump in the stable and LTS branch.
PR-URL: https://github.com/nodejs/node-private/pull/22
Security Update
Notable items:
* build: Add support for Microsoft Visual Studio 2015
* npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as
part of the strategy to get a version of npm into Node.js v0.10.x that
works with the current registry
(https://github.com/nodejs/LTS/issues/37). This version of npm prints
out a banner each time it is run. The banner warns that the next
standard release of Node.js v0.10.x will ship with a version of npm
v2.
* openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194
"Certificate verify crash with missing PSS parameter", a potential
denial-of-service vector for Node.js TLS servers; TLS clients are also
impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis)
#4133
PR-URL: https://github.com/nodejs/node-private/pull/15
When MSBuild invokes rc.exe, it passes NODE_TAG unstringified, but
passes it correctly to cl.exe. Hence, this workaround was made to
apply only to the resource file.
Fixes: https://github.com/nodejs/node/issues/2963
PR-URL: https://github.com/nodejs/node/pull/3053
Reviewed-By: Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
This is a port of e07c86e240 from v0.12.
Original commit message:
Try the next version of Microsoft Visual Studio when vcvarsall.bat
fails to set VCINSTALLDIR.
PR-URL: https://github.com/nodejs/node/pull/2843
Reviewed-By: rvagg - Rod Vagg <rod@vagg.org>
Reviewed-By: orangemocha - Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/node/pull/2910
Reviewed-By: orangemocha - Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
This is a port of b0dd3bf499 .
Original commit message:
Windows 10 wasn't listed in the executable manifest.
This caused problems with trying to detect Windows 10
via `os.release()`.
PR-URL: https://github.com/nodejs/io.js/pull/2332
Reviewed-By: Roman Reiss <me@silverwind.io>
PR-URL: https://github.com/nodejs/node/pull/2838
Reviewed-By: silverwind - Roman Reiss <me@silverwind.io>
It was pointed out by Zhou Ran that the Windows XP implementation of
uv_rwlock_rdlock() and friends may unlock the inner write mutex on a
different thread than the one that locked it, resulting in undefined
behavior.
The only place that uses rwlocks is the crypto module. Make that use
normal (simple) mutexes instead.
OpenSSL's critical sections are generally very short, with exclusive
access outnumbering shared access by a factor of three or more, so
it's not as if using rwlocks gives a decisive performance advantage.
PR-URL: https://github.com/nodejs/node/pull/2723
Reviewed-By: Fedor Indutny <fedor@indutny.com>
This section was inconsistent with the actual behavior of `require` and
with other parts of this same document, which do describe the ability
to treat index.json as a module’s default file.
PR-URL: https://github.com/joyent/node/pull/8868
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
Using `arguments` and reassigning parameter variable
values causes v8 to disable function optimization.
PR-URL: https://github.com/joyent/node/pull/8942
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
Shigeki Ohtsu
Fedor Indutny
Rod Vagg
Forrest L Norvell
João Reis
Ben Noordhuis
James M Snell
Julien Gilli
Richard Lau
Lucien Greathouse
Alexis Campailla
skenqbx
Jörg Krause
Elan Shanker
Brian White