Notable changes
* http: Writes no longer abort if the Socket is missing.
* process, async_hooks: Avoid problems when triggerAsyncId is undefined.
* zlib: Streams no longer attempt to process data when destroyed.
PR-URL: https://github.com/nodejs/node/pull/14399
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
for details on patched vulnerabilities.
Notable changes
* **build**:
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node up to
collision attacks which could result in a Denial of Service. We have
temporarily disabled snapshots until a more robust solution is found
(Ali Ijaz Sheikh)
* **deps**:
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(),
which is used for parsing NAPTR responses, could be triggered to
read memory outside of the given input buffer if the passed in DNS
response packet was crafted in a particular way. This patch checks that
there is enough data for the required elements of an NAPTR record (2
int16, 3 bytes for string lengths) before processing a record. (David
Drysdale)
PR-URL: https://github.com/nodejs/node-private/pull/91
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
for details on patched vulnerabilities.
* **build**:
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node up to
collision attacks which could result in a Denial of Service. We have
temporarily disabled snapshots until a more robust solution is found
(Ali Ijaz Sheikh)
* **deps**:
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(),
which is used for parsing NAPTR responses, could be triggered to
read memory outside of the given input buffer if the passed in DNS
response packet was crafted in a particular way. This patch checks that
there is enough data for the required elements of an NAPTR record (2
int16, 3 bytes for string lengths) before processing a record. (David
Drysdale)
PR-URL: https://github.com/nodejs/node-private/pull/92
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
for details on patched vulnerabilities.
Notable Changes:
* build:
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node
up to collision attacks which could result in a Denial of Service.
We have temporarily disabled snapshots until a more robust solution
is found (Ali Ijaz Sheikh)
* deps:
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(),
which is used for parsing NAPTR responses, could be triggered to
read memory outside of the given input buffer if the passed in DNS
response packet was crafted in a particular way. This patch checks
that there is enough data for the required elements of an NAPTR
record (2 int16, 3 bytes for string lengths) before processing a
record. (David Drysdale)
PR-URL: https://github.com/nodejs/node-private/pull/89
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
for details on patched vulnerabilities.
Notable Changes:
* build:
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node
up to collision attacks which could result in a Denial of Service.
We have temporarily disabled snapshots until a more robust solution
is found (Ali Ijaz Sheikh)
* deps:
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(),
which is used for parsing NAPTR responses, could be triggered to
read memory outside of the given input buffer if the passed in DNS
response packet was crafted in a particular way. This patch checks
that there is enough data for the required elements of an NAPTR
record (2 int16, 3 bytes for string lengths) before processing a
record. (David Drysdale)
PR-URL: https://github.com/nodejs/node-private/pull/90
PR-URL: https://github.com/nodejs/node/pull/13313
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
BUILDING.md
+ L122: Missing code-language flag
+ L170: Strong should use `*` as a marker
doc/changelogs/CHANGELOG_V6.md
+ L1494: Don't pad `emphasis` with inner spaces
doc/guides/maintaining-V8.md
+ L3: Don't use multiple top level headings
+ L16: Don't use multiple top level headings
+ L40: Don't use multiple top level headings
+ L124: Don't use multiple top level headings
+ L182: Missing code-language flag
+ L223: Don't use multiple top level headings
+ L288: Don't use multiple top level headings
+ L307: Don't use multiple top level headings
doc/guides/writing-tests.md
+ L322: Missing code-language flag
+ L329: Missing code-language flag
doc/releases.md
+ L299: Missing code-language flag
PR-URL: https://github.com/nodejs/node/pull/13270
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Alexey Orlenko <eaglexrlnk@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Make the style of "Note:" paragraphs consistent and document the
guidelines in `doc/STYLE_GUIDE.md`.
PR-URL: https://github.com/nodejs/node/pull/13133
Fixes: https://github.com/nodejs/node/issues/13131
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/13039
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/12206
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This is a special LTS to fix a number of regressions that were found
on the 6.10.x release line.
This includes:
* a fix for memory leak in the crypto module that
was introduced in 6.10.1
* a fix for a regression introduced to the windows repl in 6.10.0
* a backported fix for V8 to stop a segfault that could occur
when using spread syntax
It also includes an upgrade to zlib 1.2.11 to fix a numberof low
severity CVEs that were present in zlib 1.2.8.
http://seclists.org/oss-sec/2016/q4/602
Notable changes
* crypto:
- fix memory leak if certificate is revoked (Tom Atkinson)
https://github.com/nodejs/node/pull/12089
* deps:
- upgrade zlib to 1.2.11 (Sam Roberts)
https://github.com/nodejs/node/pull/10980
- backport V8 fixes for spread syntax regression causing segfaults
(Michaël Zasso) https://github.com/nodejs/node/pull/12037
* repl:
- Revert commit that broke REPL display on Windows (Myles Borins)
https://github.com/nodejs/node/pull/12123
When the release was cut, the changelog heading in CHANGELOG_V7
was accidentally omitted.
PR-URL: https://github.com/nodejs/node/pull/11823
Fixes: https://github.com/nodejs/node/issues/11822
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
PR-URL: https://github.com/nodejs/node/pull/11189
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Notable changes:
Node.js 7.7.0 contains a bug that will prevent all native modules
from building, this patch should fix the issue. Apologies to
everyone who was affected by 7.7.0.
PR-URL: https://github.com/nodejs/node/pull/11638
This adds an anchor for v6.10.0 in the LTS column.
PR-URL: https://github.com/nodejs/node/pull/11534
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Notable changes:
* crypto:
* ability to select cert store at runtime (Adam Majer) #8334
* Use system CAs instead of using bundled ones (Adam Majer) #8334
* deps:
* upgrade npm to 4.1.2 (Kat Marchán) #11020
* upgrade openssl sources to 1.0.2k (Shigeki Ohtsu) #11021
* doc: add basic documentation for WHATWG URL API (James M Snell) #10620
* process: add NODE_NO_WARNINGS environment variable (cjihrig) #10842
* url: allow use of URL with http.request and https.request (James M Snell) #10638
PR-URL: https://github.com/nodejs/node/pull/11062
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k
Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website
https://nodejs.org/en/blog/vulnerability/openssl-january-2017/
Notable Changes:
* deps:
- upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
https://github.com/nodejs/node/pull/11021
PR-URL: https://github.com/nodejs/node/pull/11083
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k
Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website
https://nodejs.org/en/blog/vulnerability/openssl-january-2017/
Notable Changes:
* deps:
- upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
https://github.com/nodejs/node/pull/11021
PR-URL: https://github.com/nodejs/node/pull/11081
Move the LTS releases for Node 6 to the `LTS` column in the
corresponding `CHANGELOG_V6.md`.
PR-URL: https://github.com/nodejs/node/pull/10827
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This contained a duplicate link to the PR for a notable change,
presumably because that PR was composed of 2 separate commits.
PR-URL: https://github.com/nodejs/node/pull/10827
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This is a special release that contains 0 commits. While promoting
additional platforms for v6.9.3 after the release, the tarballs on the
release server were overwritten and now have different shasums. In
order to remove any ambiguity around the release we have opted to do a
semver patch release with no changes.
This is a special release that contains 0 commits. While promoting
additional platforms for v4.7.1 after the release, the tarballs on the
release server were overwritten and now have different shasums. In
order to remove any ambiguity around the release we have opted to do a
semver patch release with no changes.
Anna Henningsen
Myles Borins
Jeremiah Senkpiel
Evan Lucas
Rod Vagg
James M Snell
James, please
Daijiro Wachi
Alexey Orlenko
Frank Lanitz
Italo A. Casas
Zero King
cjihrig
Myles Borins
Benjamin Fleischer
Luigi Pinca