Previously, we were signing the binary that was released in the .pkg,
but not the binary released in the tarball.
PR-URL: https://github.com/nodejs/node/pull/14179
Fixes: https://github.com/nodejs/node/issues/11936
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Allow passing the prefix in via the PKGDIR env var. This will allow us
to use this same script to codesign the binary tarball.
PR-URL: https://github.com/nodejs/node/pull/14179
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
gpg 2.1 no longer includes the key-id by default which breaks
the release script. This makes sure we are explicit about it.
PR-URL: https://github.com/nodejs/node/pull/13309
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Functions that call `ECDH::BufferToPoint` were not clearing the
error stack on failure, so an invalid key could leave leftover
error state and cause subsequent (unrelated) signing operations
to fail.
PR-URL: https://github.com/nodejs/node/pull/13275
Backport-PR-URL: https://github.com/nodejs/node/pull/13399
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
HGlobalValueNumberingPhase::CollectSideEffectsOnPathsToDominatedBlock()
used to self-recurse before this commit, causing stack overflows on
systems with small stack sizes. Make it non-recursive by storing
intermediate results in a heap-allocated list.
Fixes: https://github.com/nodejs/node/issues/11991
Backport-PR-URL: https://github.com/nodejs/node/pull/13080
PR-URL: https://github.com/nodejs/node/pull/12460
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yang Guo <yangguo@chromium.org>
This fixes wrong hash results on Windows with some CPUs that support
Intel SHA Extension and resolves the issue of TLS connection errors.
After upgrading forthcoming openssl-1.0.2l, this is no nolonger needed.
Original commit message:
perlasm/x86_64-xlate.pl: work around problem with hex constants in masm.
Perl, multiple versions, for some reason occasionally takes issue with
letter b[?] in ox([0-9a-f]+) regex. As result some constants, such as
0xb1 came out wrong when generating code for MASM. Fixes GH#3241.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3385)
(cherry picked from commit c47aea8af1e28e46e1ad5e2e7468b49fec3f4f29)
Refs: https://github.com/openssl/openssl/issues/3241
Refs: https://github.com/openssl/openssl/pull/3385
Fixes: https://github.com/nodejs/node/issues/12691
PR-URL: https://github.com/nodejs/node/pull/12913
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
* The following function from <unicode/normlzr.h> is used:
normalize()
* Until ICU 59, <unicode/normlzr.h> is indirectly included, but this changed with the 59 release. Adding this header has been the right thing to do for many years, so it is backwards compatible and fix compilation with recent ICU.
Refs: https://github.com/nodejs/node/issues/13022
PR-URL: https://github.com/nodejs/node/pull/13040
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
for details on patched vulnerabilities.
Notable Changes:
* build:
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node
up to collision attacks which could result in a Denial of Service.
We have temporarily disabled snapshots until a more robust solution
is found (Ali Ijaz Sheikh)
* deps:
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(),
which is used for parsing NAPTR responses, could be triggered to
read memory outside of the given input buffer if the passed in DNS
response packet was crafted in a particular way. This patch checks
that there is enough data for the required elements of an NAPTR
record (2 int16, 3 bytes for string lengths) before processing a
record. (David Drysdale)
PR-URL: https://github.com/nodejs/node-private/pull/90
Original commit message:
ares_parse_naptr_reply: check sufficient data
Check that there is enough data for the required elements
of an NAPTR record (2 int16, 3 bytes for string lengths)
before processing a record.
This patch fixes CVE-2017-1000381
The c-ares function ares_parse_naptr_reply(), which is used for
parsing NAPTR responses, could be triggered to read memory outside
of the given input buffer if the passed in DNS response packet was
crafted in a particular way.
Refs: https://c-ares.haxx.se/adv_20170620.html
Refs: https://c-ares.haxx.se/CVE-2017-1000381.patch
PR-URL: https://github.com/nodejs/node-private/pull/88
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
This tests that the hash seed used by V8 for hashing is random.
PR-URL: https://github.com/nodejs/node-private/pull/84
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
This fixes a potential Buffer(num) call when the user passes a number
as the 'auth' property.
This now throws instead of allocating an unitialized memory Buffer and
sending that in the Authorization header.
Fixes: https://github.com/nodejs/security/issues/111
PR-URL: https://github.com/nodejs/node-private/pull/83
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
https://github.com/nodejs/node/pull/11863 adds _O_RDWR to node.cc
which is defined in fcntl.h. This adds this include directly to
node.cc.
PR-URL: https://github.com/nodejs/node/pull/12540
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Currently test-tls-socket-close will fail if node
was built using --without-ssl. This commit adds a check to
verify is crypto support exists and if not skip this test.
PR-URL: https://github.com/nodejs/node/pull/11911
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yuta Hiroto <hello@about-hiroppy.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Original commit message:
Trigger OOM crash if no memory returned in v8::ArrayBuffer::New and v…
…8::SharedArrayBuffer::New.
This API does not allow reporting failure, but we should crash rather than have
the caller get an ArrayBuffer that isn't properly set up.
BUG=chromium:681843
Review-Url: https://codereview.chromium.org/2641953002
Cr-Commit-Position: refs/heads/master@{#42511}
PR-URL: https://github.com/nodejs/node/pull/11940
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This partually reverts commit 4cdb0e89d8.
A nullptr check in TSLWrap::IsAlive() and the added test were left.
PR-URL: https://github.com/nodejs/node/pull/11947
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
The TLSWrap constructor is passed a StreamBase* which it stores as
TLSWrap::stream_, and is used to receive/send data along the pipeline
(e.g. tls -> tcp). Problem is the lifetime of the instance that stream_
points to is independent of the lifetime of the TLSWrap instance. So
it's possible for stream_ to be delete'd while the TLSWrap instance is
still alive, allowing potential access to a then invalid pointer.
Fix by having the StreamBase destructor null out TLSWrap::stream_;
allowing all TLSWrap methods that rely on stream_ to do a check to see
if it's available.
While the test provided is fixed by this commit, it was also previously
fixed by 478fabf. Regardless, leave the test in for better testing.
PR-URL: https://github.com/nodejs/node/pull/11947
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
TLSWrap object keeps a pointer reference to the underlying
TCPWrap object. This TCPWrap object could be closed and deleted
by the event-loop which leaves us with a dangling pointer.
So the TLSWrap object needs to track the "close" event on the
TCPWrap object.
PR-URL: https://github.com/nodejs/node/pull/11776
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Code was calculating $PREFIX/lib/node relative to process.execPath, but
on Windows process.execPath is $PREFIX\node.exe whereas everywhere else
process.execPath is $PREFIX/bin/node (where $PREFIX is the root of the
installed Node.js).
PR-URL: https://github.com/nodejs/node/pull/9283
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: João Reis <reis@janeasystems.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Test executes with a copy of the node executable since $PREFIX/lib/node
is relative to the executable location.
PR-URL: https://github.com/nodejs/node/pull/9283
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: João Reis <reis@janeasystems.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/node/pull/12091
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: JoãReis <reis@janeasystems.com>
Reviewed-By: Johan Bergströbugs@bergstroem.nu>
Removes branch that would make TLSSocket emit '_tlsError' event if
error occured on handshake and control was not released, as it was
never happening. Added test for tls.Server to ensure it still emits
'tlsClientError' as expected.
Note that 'tlsClientError' does not exist in the v4.x branch so this
back-port emits 'clientError' instead. See also pull request #4557.
Fixes: https://github.com/nodejs/node/issues/8803
PR-URL: https://github.com/nodejs/node/pull/8805
Refs: https://github.com/nodejs/node/pull/4557
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Apply unreleased (as of zlib v1.2.11) patch from upstream:
- 38e8ce32af
Original commit message:
Fix CLEAR_HASH macro to be usable as a single statement.
As it is used in deflateParams().
PR-URL: https://github.com/nodejs/node/pull/11616
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
`request.abort()` did not destroy the socket if it was called
before a socket was assigned to the request and the request
did not use an `Agent` or a Unix Domain Socket was used.
Fixes: https://github.com/nodejs/node/issues/10812
PR-URL: https://github.com/nodejs/node/pull/10818
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
This commit adds a guard against an out of bounds access of
arguments, and replaces another use of arguments with a named
function parameter.
Refs: https://github.com/nodejs/node/issues/10323
Because any call to util.inspect() with an object results in
inspectPromise() being called, Debug was being initialized even when
it's not needed. Instead, the initialization is placed after the
isPromise check.
PR-URL: https://github.com/nodejs/node/pull/8452
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
PR-URL: https://github.com/nodejs/node/pull/11024
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
The last release Chris did was v1.8.1 from April 2015.
PR-URL: https://github.com/nodejs/node/pull/11011
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
test-child-process-spawnsync-timeout failed from time to time on
Raspberry Pi devices. Use common.platformTimeout() to allow a little
more time to run on resource-constrained hosts.
PR-URL: https://github.com/nodejs/node/pull/10998
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Evan Lucas
Rich Trott
Myles Borins
Rod Vagg
Ryan Kelly
Ben Noordhuis
Shigeki Ohtsu
Bruno Pagani
David Drysdale
Ali Ijaz Sheikh
Сковорода Никита Андреевич
Bartosz Sosnowski
Nikolai Vavilov
Daniel Bevenius
Trevor Norris
jBarz
Richard Lau
Michael Dawson
Mariusz 'koder' Chwalba
Sam Roberts
Tom Atkinson
Myles Borins
Luigi Pinca
Vse Mozhet Byt
Bryan English
cjihrig
AnnaMag
abouthiroppy
Jeremiah Senkpiel
Vinícius do Carmo