The `--security-revert={cvenum}` command line flag is a special purpose
flag to be used only in stable or LTS branches when a breaking change
is required to address a security vulnerability. Whenever a vulnerability
requires a breaking change, and a CVE has been assigned, the flag can
be used to force Node to revert to the insecure behavior that was
implemented before the fix was applied.
Note that this flag is intended to be used only as a last resort in the
case a security update breaks existing code. When used, a security
warning will be printed to stderr when Node launches.
The `--security-revert={cvenum}` flag takes a single CVE number as an
argument. Multiple instances of the `--security-revert={cvenum}` flag
can be used on the command line to revert multiple changes.
Whenever a new `--security-revert={cvenum}` is enabled, it should be
documented in the release notes and in the API docs.
Master and the first release of a new major (e.g. v6.0) should not have
any reverts available.
Every time a new `--security-revert={cvenum}` is added, there should be
a semver-minor bump in the stable and LTS branch.
PR-URL: https://github.com/nodejs/node-private/pull/21
Security Update
Notable items:
* http: Fix a bug where an HTTP socket may no longer have a socket but a
pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194
"Certificate verify crash with missing PSS parameter", a potential
denial-of-service vector for Node.js TLS servers; TLS clients are also
impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133
PR-URL: https://github.com/nodejs/node-private/pull/13
When MSBuild invokes rc.exe, it passes NODE_TAG unstringified, but
passes it correctly to cl.exe. Hence, this workaround was made to
apply only to the resource file.
Fixes: https://github.com/nodejs/node/issues/2963
PR-URL: https://github.com/nodejs/node/pull/3053
Reviewed-By: Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
As part of the fix for logjam, node was upgraded to a
level of openssl which rejects connections to servers that
are using keys smaller than 768 bits. It is still possible,
however, to create a server that uses a smaller key size
and and older client may be able to connect to it.
This PR moves us to a secure by default stance on the
server side as well, preventing the creation of a server
using a dhe key size less than 768. This can be overridden
with the command line option which is also added.
It is derived from
9b35be5810
which was landed in later io.js/node versions but makes
the limit 1024. This PR uses the smaller limit in order
to meet the recomendations for logjam while matching was
was done on the client side in openssl to minimize the
potential impacton users.
The command line option will only be documented in the
release notes and will not be added to the tls
documentation. The goal is that people who are
upgrading are aware and can use the option if they
run into issues, but otherwise the option is not
visible/used.
PR-URL: https://github.com/nodejs/node/pull/3890
Fixes: https://github.com/nodejs/LTS/issues/49
Reviewed-By: Myles Borins <mborins@us.ibm.com>
Reviewed-By: James Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <r@va.gg>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
This is a roll-up release that includes all changes to npm since 2.13.4.
PR-URL: https://github.com/nodejs/node/pull/3684
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Fix the following build error by putting #if guards around the
variables:
../src/node.cc: In function 'void node::ParseArgs(int*,
const char**, int*, const char***, int*, const char***)':
../src/node.cc:3037:7: error: 'SSL2_ENABLE' was not declared
in this scope
SSL2_ENABLE = true;
^
../src/node.cc:3039:7: error: 'SSL3_ENABLE' was not declared
in this scope
SSL3_ENABLE = true;
Fixes: https://github.com/nodejs/node-v0.x-archive/issues/8645
PR-URL: https://github.com/nodejs/node/pull/3825
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: James M Snell <jasnell@gmail.com>
caeb677
Do not abort the process if an error is thrown from within a domain,
an error handler is setup for the domain and
--abort-on-uncaught-exception was passed on the command line.
However, if an error is thrown from within the top-level domain's
error handler and --abort-on-uncaught-exception was passed on the
command line, make the process abort.
Fixes: #8877
Fixes: https://github.com/nodejs/node-v0.x-archive/issues/8877
PR-URL: https://github.com/nodejs/node-v0.x-archive/pull/25835
Reviewed-By: misterdjules - Julien Gilli <jgilli@nodejs.org>
Try the next version of Microsoft Visual Studio when vcvarsall.bat
fails to set VCINSTALLDIR.
PR-URL: https://github.com/nodejs/node/pull/2843
Reviewed-By: rvagg - Rod Vagg <rod@vagg.org>
Reviewed-By: orangemocha - Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
This is a port of b0dd3bf499 .
Original commit message:
Windows 10 wasn't listed in the executable manifest.
This caused problems with trying to detect Windows 10
via `os.release()`.
PR-URL: https://github.com/nodejs/io.js/pull/2332
Reviewed-By: Roman Reiss <me@silverwind.io>
PR-URL: https://github.com/nodejs/node/pull/2843
Reviewed-By: rvagg - Rod Vagg <rod@vagg.org>
Reviewed-By: orangemocha - Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
To compile with VS2015, the == and != methods in zone-allocator.h need
to be marked const.
This change was introduced upstream in
f9e4527f32
PR-URL: https://github.com/nodejs/node/pull/2843
Reviewed-By: rvagg - Rod Vagg <rod@vagg.org>
Reviewed-By: orangemocha - Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
This is a port of a525c7244e .
Original commit message:
Gyp update to be able to generate VS2015 projects.
PR-URL: https://github.com/joyent/node/pull/25857
Reviewed-By: Alexis Campailla <alexis@janeasystems.com>
PR-URL: https://github.com/nodejs/node/pull/2843
Reviewed-By: rvagg - Rod Vagg <rod@vagg.org>
Reviewed-By: orangemocha - Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
This is a port of e192f61514 .
Original commit message:
Older WiX versions included a header with extern "C" declaration,
hence the custom action source must be C++.
Reviewed-By: João Reis <reis@janeasystems.com>
PR-URL: https://github.com/joyent/node/pull/25569
PR-URL: https://github.com/nodejs/node/pull/2843
Reviewed-By: rvagg - Rod Vagg <rod@vagg.org>
Reviewed-By: orangemocha - Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
This is a port of 16bcd68dc5 .
Original commit message:
The original change that added support for running custom actions
during the install process (e7c84f82c7)
assumed that Visual Studio 2013 is used to generate the installer
file.
However, that is not always the case, and older versions of Visual
Studio should allow users to generate Windows installer files. This
change makes the custom actions visual studio project use the visual
studio version that is found by vcbuild.bat.
Reviewed-By: João Reis <reis@janeasystems.com>
PR-URL: https://github.com/joyent/node/pull/25569
PR-URL: https://github.com/nodejs/node/pull/2843
Reviewed-By: rvagg - Rod Vagg <rod@vagg.org>
Reviewed-By: orangemocha - Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
It was pointed out by Zhou Ran that the Windows XP implementation of
uv_rwlock_rdlock() and friends may unlock the inner write mutex on a
different thread than the one that locked it, resulting in undefined
behavior.
The only place that uses rwlocks is the crypto module. Make that use
normal (simple) mutexes instead.
OpenSSL's critical sections are generally very short, with exclusive
access outnumbering shared access by a factor of three or more, so
it's not as if using rwlocks gives a decisive performance advantage.
PR-URL: https://github.com/nodejs/node/pull/2723
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Changed child_process.exec documentation to reflect that the parameters stdout and stderr are instances of Buffer only if {encoding: null}. Otherwise, they are instances of String with the encoding.
Fixes#9434
removed .DS_Store
PR-URL: https://github.com/joyent/node/pull/14088
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
Reviewed-By: piscisaureus - Bert Belder <bertbelder@gmail.com>
spawnSync() modifies the options argument. This commit makes
a copy of options before any modifications occur.
PR-URL: https://github.com/joyent/node/pull/9159
Reviewed-By: trevnorris - Trevor Norris <trev.norris@gmail.com>
Updated documentation as per the issue below:
https://github.com/joyent/node/issues/25466
Event listeners can alter parts of the passed object, in some
circumstances the changes are passed to the next listeners
due to pass by reference. This is documentation of that behavior.
PR-URL: https://github.com/joyent/node/pull/25467
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
This change is a backport of
nodejs/node@4c06515a2f13c9b0890b374bb3ab3c0740c282e2.
Original commit message:
The particular ufile.c is from
http://bugs.icu-project.org/trac/changeset/37704
and should be OK for ICU 54 and 55.
Also, adds general mechanism for floating patches on top of ICU.
Fixes: nodejs/node#2279
PR-URL: nodejs/node#2283
Reviewed-By: João Reis <reis@janeasystems.com>
Fixes: #25792
PR-URL: https://github.com/joyent/node/pull/25804
Reviewed-By: João Reis <reis@janeasystems.com>
No offense to @izs, but the doxygen he put up 3.5 years ago isn't
accurate for node 0.12 nor io.js. I'm trying to keep up and have
multiple sets of doxygen of v8 available at http://v8dox.com/
PR-URL: https://github.com/joyent/node/pull/25811
Reviewed-By: James M Snell <jasnell@gmail.com>
The current wording "This module is used for writing unit tests for your applications, you can access it with require('assert')." implies that this module should only be used in development while unit testing.
The article "Error Handling in Node.js" by Joyent (https://www.joyent.com/developers/node/design/errors) uses the assert module in an efficient way to validate required function arguments.
PR-URL: https://github.com/joyent/node/pull/25811
Reviewed-By: James M Snell <jasnell@gmail.com>
per https://github.com/joyent/node/issues/14597
Indicate that `'readable'` indicates only that data can
be read from the stream, not that there is actually data
to be consumed. `readable.read([size])` can still return
null. Includes an example that illustrates the point.
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/joyent/node/pull/25591
Per https://github.com/joyent/node/issues/14604,
Document that performing an `unshift` during a read
can have unexpected results. Following the `unshift`
with a `push('')` resets the reading state appropriately.
Also indicate that doing an `unshift` during a read
is not optimal and should be avoided.
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/joyent/node/pull/25591
per: https://github.com/joyent/node/issues/14596
1. document that a runtime error will occur if you attempt
to unshift after the end event
2. document that calling read after the end event will return
null and will not trigger a runtime error
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/joyent/node/pull/25591
James M Snell
Rod Vagg
Ben Noordhuis
Fedor Indutny
João Reis
Michael Dawson
Forrest L Norvell
Jeremy Whitlock
Lucien Greathouse
Andy Polyakov
Shigeki Ohtsu
Julien Gilli
Tyler Anton
cjihrig
Devin Nakamura
Samuel Mills (Henchman)
Evan Lucas
Steven R. Loomis
Kat Marchán
Max Deepfield
George Kotchlamazashvili
Steven R. Loomis
Julien Valéry
Chad Walker
Dyana Rose
daveboivin
Andrew Murray
Daniel Rentz
fresheneesz