This LTS release comes with 89 commits. This includes 46 commits that
are docs related, 11 commits that are test related, 8 commits that are
build related, and 4 commits that are benchmark related.
Notable Changes:
- debugger:
- All properties of an array (aside from length) can now be printed
in the repl (cjihrig)
https://github.com/nodejs/node/pull/6448
- npm:
- Upgrade npm to 2.15.8 (Rebecca Turner)
https://github.com/nodejs/node/pull/7412
- stream:
- Fix for a bug that became more prevalent with the stream changes
that landed in v4.4.5. (Anna Henningsen)
https://github.com/nodejs/node/pull/7160
- V8:
- Fix for a bug in crankshaft that was causing crashes on arm64
(Myles Borins)
https://github.com/nodejs/node/pull/7442
- Add missing classes to postmortem info such as JSMap and JSSet
(evan.lucas)
https://github.com/nodejs/node/pull/3792
The current layout is breaking the release post tool.
This commit also removed erroneous entires in the main CHANGELOG for
v4.4.6 and v5.12.0.
PR-URL: https://github.com/nodejs/node/pull/7394
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Notable changes:
This is a security release. All Node.js users should consult the security
release summary at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases
for details on patched vulnerabilities.
* **buffer**
* backport allocUnsafeSlow (Сковорода Никита Андреевич) [#7169
Notable changes:
* **http**:
- req.read(0) could cause incoming connections to stall and time out
under certain conditions. (Fedor Indutny) [#7211
](https://github.com/nodejs/node/pull/7211)
- When freeing the socket to be reused in keep-alive Agent wait for
both prefinish and end events. Otherwise the next request may be
written before the previous one has finished sending the body, leading
to a parser errors. (Fedor Indutny) [#7149
* buffer: Ignore negative lengths in calls to Buffer() and
Buffer.allocUnsafe(). This fixes a possible security concern
(reported by Feross Aboukhadijeh) where user input is passed
unchecked to the Buffer constructor or allocUnsafe() as it can
expose parts of the memory slab used by other Buffers in the
application. Note that negative lengths are not supported by the
Buffer API and user input to the constructor should always be
sanitised and type-checked.
(Anna Henningsen) https://github.com/nodejs/node/pull/7030
* npm: Upgrade npm to 3.9.3
(Kat Marchán) https://github.com/nodejs/node/pull/7030
* tty: Default to blocking mode for stdio on OS X. A bug fix
in libuv 1.9.0, introduced in Node.js v6.0.0, exposed problems with
Node's use of non-blocking stdio, particularly on OS X which has a
small output buffer. This change should fix CLI applications that
have been having problems with output since Node.js v6.0.0 on OS X.
The core team is continuing to address stdio concerns that exist
across supported platforms and progress can be tracked at
https://github.com/nodejs/node/pull/6980.
(Jeremiah Senkpiel) https://github.com/nodejs/node/pull/6895
* V8: Upgrade to V8 5.0.71.52. This includes a fix that addresses
problems experienced by users of node-inspector since Node.js
v6.0.0, see https://github.com/nodejs/node/issues/6980 for details.
(Michaël Zasso) https://github.com/nodejs/node/pull/6928
Some references to a few versions were broken, likely in part
due to the transition to a split changelog format.
PR-URL: https://github.com/nodejs/node/pull/6942
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
The changelog was getting rather huge and difficult
to manage. It also wasn't very useful in terms of
being able to quickly find specific Node.js versions,
or tracking the history for a single major release
stream.
This reorganizes the changelog by versions separated
out over multiple files. An index of the most recent
versions is provided in the main log.
PR-URL: https://github.com/nodejs/node/pull/6503
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Robert Lindstaedt <robert.lindstaedt@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Not quite sure how, but quite a few of the commits were missing
from the original changelog generated for v6 relative to v5.11.0.
This updates the change log.
PR-URL: https://github.com/nodejs/node/pull/6435
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
The unfortunate has happened, our CHANGELOG is now over 1 MB and cannot
be viewed on github. This commit breaks the CHANGELOG into two files
so that we can continue to show our changes rendered in the github UI.
Closes: https://github.com/nodejs/node/issues/5533
PR-URL: https://github.com/nodejs/node/pull/6337
Reviewed-By: Claudio Rodriguez <cjrodr@yahoo.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Roman Reiss <me@silverwind.io>
The following significant (semver-major) changes have been made since the
previous Node v5.0.0 release.
* Buffer
* New Buffer constructors have been added
[#4682
](https://github.com/nodejs/node/pull/4659).
* File System
* The `fs.realpath()` and `fs.realpathSync()` methods have been updated
to use a more efficient libuv implementation. This change includes the
removal of the `cache` argument and the method can throw new errors
[#3594
Also changed alias P.S.V.R to Minqi Pan.
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/6387
PR-URL: https://github.com/nodejs/node/pull/6076
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Roman Klauke <romaaan.git@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Notable changes:
* npm: Upgrade to v2.15.1. IMPORTANT: This is a major upgrade to npm
v2 LTS from the previously deprecated npm v1. (Forrest L Norvell)
* npm: Upgrade to v2.15.1. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an attacker
to set up a server that could collect tokens from users of the
command-line interface. Authentication tokens have previously been
sent with every request made by the CLI for logged-in users,
regardless of the destination of the request. This update fixes this
by only including those tokens for requests made against the
registry or registries used for the current install. IMPORTANT:
This is a major upgrade to npm v2 LTS from the previously deprecated
npm v1. (Forrest L Norvell) https://github.com/nodejs/node/pull/5967
* openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they
are obsolete and not considered safe. This release of Node.js turns
on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers
included in these lists which can be used in SSLv3 and higher. Full
details can be found in our LTS discussion on the matter
(https://github.com/nodejs/LTS/issues/85).
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712
PR-URL: https://github.com/nodejs/node/pull/5968
Notable changes:
* npm: Upgrade to v2.15.1. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an attacker
to set up a server that could collect tokens from users of the
command-line interface. Authentication tokens have previously been
sent with every request made by the CLI for logged-in users,
regardless of the destination of the request. This update fixes this
by only including those tokens for requests made against the
registry or registries used for the current install.
(Forrest L Norvell) https://github.com/nodejs/node/pull/5967
* openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they
are obsolete and not considered safe. This release of Node.js turns
on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers
included in these lists which can be used in SSLv3 and higher. Full
details can be found in our LTS discussion on the matter
(https://github.com/nodejs/LTS/issues/85).
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712
PR-URL: https://github.com/nodejs/node/pull/5967
](https://github.com/nodejs/node/pull/5853)
* npm: Upgrade to v3.8.3. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an attacker to
set up a server that could collect tokens from users of the command-line
interface. Authentication tokens have previously been sent with every
request made by the CLI for logged-in users, regardless of the destination
of the request. This update fixes this by only including those tokens
for requests made against the registry or registries used for the
current install. (Forrest L Norvell)
[npm/node#6
Notable Changes
* https:
- Under certain conditions ssl sockets may have been causing a memory
leak when keepalive is enabled. This is no longer the case.
- (Alexander Penev) https://github.com/nodejs/node/pull/5713
* lib:
- The way that we were internally passing arguments was causing a
potential leak. By copying the arguments into an array we can avoid this
- (Nathan Woltman) https://github.com/nodejs/node/pull/4361
* npm:
- Upgrade to v2.15.1. Fixes a security flaw in the use of authentication
tokens in HTTP requests that would allow an attacker to set up a server
that could collect tokens from users of the command-line interface.
Authentication tokens have previously been sent with every request made
by the CLI for logged-in users, regardless of the destination of the
request. This update fixes this by only including those tokens for
requests made against the registry or registries used for the current
install. (Forrest L Norvell)
* repl:
- Previously if you were using the repl in strict mode the column number
would be wrong in a stack trace. This is no longer an issue.
- (Prince J Wesley) https://github.com/nodejs/node/pull/5416
PR-URL: https://github.com/nodejs/node/pull/5961
In December we announced that we would be doing a minor release in order to
get a number of voted on SEMVER-MINOR changes into LTS. Our ability to release this
was delayed due to the unforeseen security release v4.3. We are quickly bumping to
v4.4 in order to bring you the features that we had committed to releasing.
This release also includes over 70 fixes to our docs and over 50 fixes to tests.
The SEMVER-MINOR changes include:
* deps:
- An update to v8 that introduces a new flag --perf_basic_prof_only_functions (Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/3609
* http:
- A new feature in http(s) agent that catches errors on *keep alived* connections (José F. Romaniello) https://github.com/nodejs/node/pull/4482
* src:
- Better support for Big-Endian systems (Bryon Leung) https://github.com/nodejs/node/pull/3410
* tls:
- A new feature that allows you to pass common SSL options to `tls.createSecurePair` (Коренберг Марк) https://github.com/nodejs/node/pull/2441
* tools
- a new flag `--prof-process` which will execute the tick processor on the provided isolate files (Matt Loring) https://github.com/nodejs/node/pull/4021
Notable semver patch changes include:
* buld:
- Support python path that includes spaces. This should be of particular interest to our Windows users who may have python living in `c:/Program Files` (Felix Becker) https://github.com/nodejs/node/pull/4841
* https:
- A potential fix for https://github.com/nodejs/node/issues/3692 HTTP/HTTPS client requests throwing EPROTO (Fedor Indutny) https://github.com/nodejs/node/pull/4982
* installer:
- More readable profiling information from isolate tick logs (Matt Loring) https://github.com/nodejs/node/pull/3032
* *npm:
- upgrade to npm 2.14.20 (Kat Marchán) https://github.com/nodejs/node/pull/5510
* process:
- Add support for symbols in event emitters. Symbols didn't exist when it was written ¯\_(ツ)_/¯ (cjihrig) https://github.com/nodejs/node/pull/4798
* querystring:
- querystring.parse() is now 13-22% faster! (Brian White) https://github.com/nodejs/node/pull/4675
* streams:
- performance improvements for moving small buffers that shows a 5% throughput gain. IoT projects have been seen to be as much as 10% faster with this change! (Matteo Collina) https://github.com/nodejs/node/pull/4354
* tools:
- eslint has been updated to version 2.1.0 (Rich Trott) https://github.com/nodejs/node/pull/5214
PR-URL: https://github.com/nodejs/node/pull/5301
Notable changes:
* openssl: Fully remove SSLv2 support, the `--enable-ssl2` command
line argument will now produce an error. The DROWN Attack
(https://drownattack.com/) creates a vulnerability where SSLv2 is
enabled by a server, even if a client connection is not using SSLv2.
The SSLv2 protocol is widely considered unacceptably broken and
should not be supported. More information is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0800
Note that the upgrade to OpenSSL 1.0.1s in Node.js v0.12.11 removed
internal SSLv2 support. The change in this release was originally
intended for v0.12.11. The `--enable-ssl2` command line argument now
produces an error rather than being a no-op.
PR-URL: https://github.com/nodejs/nodejs.org/pull/562
Notable changes:
* http_parser: Update to http-parser 1.2 to fix an unintentionally
strict limitation of allowable header characters.
(James M Snell) https://github.com/nodejs/node/pull/5242
* domains:
- Prevent an exit due to an exception being thrown rather than
emitting an 'uncaughtException' event on the `process` object when
no error handler is set on the domain within which an error is
thrown and an 'uncaughtException' event listener is set on
`process`. (Julien Gilli) https://github.com/nodejs/node/pull/3887
- Fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and `--abort-on-uncaught-exception` is used.
(Julien Gilli) https://github.com/nodejs/node/pull/3887
* openssl: Upgrade from 1.0.1r to 1.0.1s
(Ben Noordhuis) https://github.com/nodejs/node/pull/5508
- Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is
likely to be very difficult to use this defect for a practical
attack and is therefore considered low severity for Node.js users.
More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code
paths that use these functions so practical attacks via Node.js
using this defect are _unlikely_ to be possible. More info is
available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible.
This defect enables attackers to execute side-channel attacks
leading to the potential recovery of entire RSA private keys. It
only affects the Intel Sandy Bridge (and possibly older)
microarchitecture when using hyper-threading. Newer
microarchitectures, including Haswell, are unaffected. More info
is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702
- Remove SSLv2 support, the `--enable-ssl2` command line argument
will now produce an error. The DROWN Attack
(https://drownattack.com/) creates a vulnerability where SSLv2 is
enabled by a server, even if a client connection is not using
SSLv2. The SSLv2 protocol is widely considered unacceptably broken
and should not be supported. More information is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0800
PR-URL: https://github.com/nodejs/node/pull/5404
Notable changes:
* http_parser: Update to http-parser 2.3.2 to fix an unintentionally
strict limitation of allowable header characters.
(James M Snell) https://github.com/nodejs/node/pull/5241
* domains:
- Prevent an exit due to an exception being thrown rather than
emitting an 'uncaughtException' event on the `process` object when
no error handler is set on the domain within which an error is
thrown and an 'uncaughtException' event listener is set on
`process`. (Julien Gilli) https://github.com/nodejs/node/pull/3885
- Fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and `--abort-on-uncaught-exception` is used.
(Julien Gilli) https://github.com/nodejs/node/pull/3885
* openssl: Upgrade from 1.0.2f to 1.0.2g
(Ben Noordhuis) https://github.com/nodejs/node/pull/5509
- Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is
likely to be very difficult to use this defect for a practical
attack and is therefore considered low severity for Node.js users.
More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code
paths that use these functions so practical attacks via Node.js
using this defect are _unlikely_ to be possible. More info is
available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
defect enables attackers to execute side-channel attacks leading
to the potential recovery of entire RSA private keys. It only
affects the Intel Sandy Bridge (and possibly older)
microarchitecture when using hyper-threading. Newer
microarchitectures, including Haswell, are unaffected. More info
is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702
PR-URL: https://github.com/nodejs/node/pull/5403
Notable changes:
* governance: The Core Technical Committee (CTC) added four new members
to help guide Node.js core development: Evan Lucas, Rich Trott, Ali
Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda).
* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis)
https://github.com/nodejs/node/pull/5507
- Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is likely
to be very difficult to use this defect for a practical attack and is
therefore considered low severity for Node.js users. More info is
available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code paths
that use these functions so practical attacks via Node.js using this
defect are _unlikely_ to be possible. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
defect enables attackers to execute side-channel attacks leading to the
potential recovery of entire RSA private keys. It only affects the
Intel Sandy Bridge (and possibly older) microarchitecture when using
hyper-threading. Newer microarchitectures, including Haswell, are
unaffected. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702
* Fixed several regressions that appeared in v5.7.0:
- path.relative():
- Output is no longer unnecessarily verbose (Brian White)
https://github.com/nodejs/node/pull/5389
- Resolving UNC paths on Windows now works correctly (Owen Smith)
https://github.com/nodejs/node/pull/5456
- Resolving paths with prefixes now works correctly from the root
directory (Owen Smith) https://github.com/nodejs/node/pull/5490
- url: Fixed an off-by-one error with `parse()` (Brian White)
https://github.com/nodejs/node/pull/5394
- dgram: Now correctly handles a default address case when offset and
length are specified (Matteo Collina)
https://github.com/nodejs/node/pull/5407
PR-URL: https://github.com/nodejs/node/pull/5464
This is a security release with only a single commit, an update to openssl due to a recent security advisory. You can read more about the security advisory on the Node.js website https://nodejs.org/en/blog/vulnerability/openssl-march-2016/
* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) https://github.com/nodejs/node/pull/5507
- Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at CVE-2016-0705 https://www.openssl.org/news/vulnerabilities.html#2016-0705.
- Fix a defect that can cause memory corruption in certain very rare cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely_ to be possible. More info is available at CVE-2016-0797 https://www.openssl.org/news/vulnerabilities.html#2016-0797.
- Fix a defect that makes the _CacheBleed Atta https://ssrg.nicta.com.au/projects/TS/cachebleed/ _ possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at CVE-2016-0702 https://www.openssl.org/news/vulnerabilities.html#2016-0702.
PR-URL: https://github.com/nodejs/node/pull/5526
* buffer:
- You can now supply an encoding argument when filling a
Buffer Buffer#fill(string[, start[, end]][, encoding]), supplying
an existing Buffer will also work with
Buffer#fill(buffer[, start[, end]]). See the API documentation for
details on how this works. (Trevor Norris) #4935
- Buffer#indexOf() no longer requires a byteOffset argument if you
also wish to specify an encoding:
Buffer#indexOf(val[, byteOffset][, encoding]).
(Trevor Norris) #4803
* child_process: spawn() and spawnSync() now support a 'shell' option
to allow for optional execution of the given command inside a shell.
If set to true, cmd.exe will be used on Windows and /bin/sh
elsewhere. A path to a custom shell can also be passed to override
these defaults. On Windows, this option allows .bat. and .cmd files
to be executed with spawn() and spawnSync(). (Colin Ihrig) #4598
* http_parser: Update to http-parser 2.6.2 to fix an unintentionally
strict limitation of allowable header characters.
(James M Snell) #5237
* dgram: socket.send() now supports accepts an array of Buffers or
Strings as the first argument. See the API docs for details on how
this works. (Matteo Collina) #4374
* http: Fix a bug where handling headers will mistakenly trigger an
'upgrade' event where the server is just advertising its protocols.
This bug can prevent HTTP clients from communicating with HTTP/2
enabled servers. (Fedor Indutny) #4337
* net: Added a listening Boolean property to net and http servers to
indicate whether the server is listening for connections.
(José Moreira) #4743
* node: The C++ node::MakeCallback() API is now reentrant and calling
it from inside another MakeCallback() call no longer causes the
nextTick queue or Promises microtask queue to be processed out of
order. (Trevor Norris) #4507
* tls: Add a new tlsSocket.getProtocol() method to get the negotiated
TLS protocol version of the current connection. (Brian White) #4995
* vm: Introduce new 'produceCachedData' and 'cachedData' options to
new vm.Script() to interact with V8's code cache. When a new
vm.Script object is created with the 'produceCachedData' set to true
a Buffer with V8's code cache data will be produced and stored in
cachedData property of the returned object. This data in turn may be
supplied back to another vm.Script() object with a 'cachedData'
option if the supplied source is the same. Successfully executing a
script from cached data can speed up instantiation time. See the API
docs for details. (Fedor Indutny) #4777
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.6.0 to 2.6.1
* npm: upgrade npm from 3.3.12 to 3.6.0
(Rebecca Turner) https://github.com/nodejs/node/pull/4958
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Note that this release includes a non-backward compatible change to
address a security issue. This change increases the version of the LTS
v4.x line to v4.3.0. There will be *no further updates* to v4.2.x.
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.5.0 to 2.5.1
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
PR-URL: https://github.com/nodejs/node-private/pull/20
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes:
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.3.0 to 2.3.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
* build:
- xz compressed tar files will be made available from nodejs.org for
v0.12 builds from v0.12.10 onward
- A headers.tar.gz file will be made available from nodejs.org for
v0.12 builds from v0.12.10 onward, a future change to node-gyp
will be required to make use of these
PR-URL: https://github.com/nodejs/node-private/pull/24
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes:
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 1.0 to 1.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
* build:
- xz compressed tar files will be made available from nodejs.org for
v0.10 builds from v0.10.42 onward
- A headers.tar.gz file will be made available from nodejs.org for
v0.10 builds from v0.10.42 onward, a future change to node-gyp
will be required to make use of these
PR-URL: https://github.com/nodejs/node-private/pull/25
Notable changes:
* Fix regression in debugger and profiler functionality
PR-URL: https://github.com/nodejs/node/pull/4788
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>