Skip to content

Commit

Permalink
2017-12-08, Version 8.9.3 'Carbon' (LTS)
Browse files Browse the repository at this point in the history
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-15897
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* buffer:
  * buffer allocated with an invalid content will now be zero filled
    (Anna Henningsen)
    #17428
* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17532
  • Loading branch information
MylesBorins committed Dec 8, 2017
1 parent 6fa9cae commit 2ac4718
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 10 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@ release.
<a href="doc/changelogs/CHANGELOG_V9.md#9.0.0">9.0.0</a><br/>
</td>
<td valign="top">
<b><a href="doc/changelogs/CHANGELOG_V8.md#8.9.2">8.9.2</a></b><br/>
<b><a href="doc/changelogs/CHANGELOG_V8.md#8.9.3">8.9.3</a></b><br/>
<a href="doc/changelogs/CHANGELOG_V8.md#8.9.2">8.9.2</a><br/>
<a href="doc/changelogs/CHANGELOG_V8.md#8.9.1">8.9.1</a><br/>
<a href="doc/changelogs/CHANGELOG_V8.md#8.9.0">8.9.0</a><br/>
<a href="doc/changelogs/CHANGELOG_V8.md#8.8.1">8.8.1</a><br/>
Expand Down
2 changes: 1 addition & 1 deletion doc/api/buffer.md
Original file line number Diff line number Diff line change
Expand Up @@ -511,7 +511,7 @@ console.log(buf2.toString());
<!-- YAML
added: v5.10.0
changes:
- version: REPLACEME
- version: v8.9.3
pr-url: https://github.com/nodejs/node/pull/17428
description: Specifying an invalid string for `fill` now results in a
zero-filled buffer.
Expand Down
16 changes: 8 additions & 8 deletions doc/api/http2.md
Original file line number Diff line number Diff line change
Expand Up @@ -346,7 +346,7 @@ frames have been acknowledged.

#### http2session.ping([payload, ]callback)
<!-- YAML
added: REPLACEME
added: v8.9.3
-->

* `payload` {Buffer|TypedArray|DataView} Optional ping payload.
Expand Down Expand Up @@ -1475,11 +1475,11 @@ not be emitted.
<!-- YAML
added: v8.4.0
changes:
- version: REPLACEME
- version: v8.9.3
pr-url: https://github.com/nodejs/node/pull/17105
description: Added the `maxOutstandingPings` option with a default limit of
10.
- version: v9.1.0
- version: v8.9.3
pr-url: https://github.com/nodejs/node/pull/16676
description: Added the `maxHeaderListPairs` option with a default limit of
128 header pairs.
Expand Down Expand Up @@ -1543,11 +1543,11 @@ server.listen(80);
<!-- YAML
added: v8.4.0
changes:
- version: REPLACEME
- version: v8.9.3
pr-url: https://github.com/nodejs/node/pull/17105
description: Added the `maxOutstandingPings` option with a default limit of
10.
- version: v9.1.0
- version: v8.9.3
pr-url: https://github.com/nodejs/node/pull/16676
description: Added the `maxHeaderListPairs` option with a default limit of
128 header pairs.
Expand Down Expand Up @@ -1621,11 +1621,11 @@ server.listen(80);
<!-- YAML
added: v8.4.0
changes:
- version: REPLACEME
- version: v8.9.3
pr-url: https://github.com/nodejs/node/pull/17105
description: Added the `maxOutstandingPings` option with a default limit of
10.
- version: v9.1.0
- version: v8.9.3
pr-url: https://github.com/nodejs/node/pull/16676
description: Added the `maxHeaderListPairs` option with a default limit of
128 header pairs.
Expand Down Expand Up @@ -1793,7 +1793,7 @@ server.on('stream', (stream, headers) => {
<!-- YAML
added: v8.4.0
changes:
- version: v9.1.0
- version: v8.9.3
pr-url: https://github.com/nodejs/node/pull/16676
description: The `maxHeaderListSize` setting is now strictly enforced.
-->
Expand Down
41 changes: 41 additions & 0 deletions doc/changelogs/CHANGELOG_V8.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
</tr>
<tr>
<td valign="top">
<a href="#8.9.3">8.9.3</a><br/>
<a href="#8.9.2">8.9.2</a><br/>
<a href="#8.9.1">8.9.1</a><br/>
<a href="#8.9.0">8.9.0</a><br/>
Expand Down Expand Up @@ -48,6 +49,46 @@
[Node.js Long Term Support Plan](https://github.com/nodejs/LTS) and
will be supported actively until April 2019 and maintained until December 2019.

<a id="8.9.3"></a>
## 2017-12-08, Version 8.9.3 'Carbon' (LTS), @MylesBorins

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-15897
* CVE-2017-3738 (from the openssl project)

### Notable Changes

* **buffer**:
* buffer allocated with an invalid content will now be zero filled (Anna Henningsen) [#17428](https://github.com/nodejs/node/pull/17428)
* **deps**:
* openssl updated to 1.0.2n (Shigeki Ohtsu) [#17526](https://github.com/nodejs/node/pull/17526)

### Commits

* [[`b05ef978d3`](https://github.com/nodejs/node/commit/b05ef978d3)] - **buffer**: zero-fill buffer allocated with invalid content (Anna Henningsen) [#17428](https://github.com/nodejs/node/pull/17428)
* [[`18652b6860`](https://github.com/nodejs/node/commit/18652b6860)] - **deps**: update openssl asm and asm_obsolete files (Shigeki Ohtsu) [#17526](https://github.com/nodejs/node/pull/17526)
* [[`e6c308e237`](https://github.com/nodejs/node/commit/e6c308e237)] - **deps**: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) [nodejs/io.js#1836](https://github.com/nodejs/io.js/pull/1836)
* [[`a85f94bd59`](https://github.com/nodejs/node/commit/a85f94bd59)] - **deps**: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) [iojs/io.js#1389](https://github.com/iojs/io.js/pull/1389)
* [[`b5552c854c`](https://github.com/nodejs/node/commit/b5552c854c)] - **deps**: fix openssl assembly error on ia32 win32 (Fedor Indutny) [iojs/io.js#1389](https://github.com/iojs/io.js/pull/1389)
* [[`afad1f23a2`](https://github.com/nodejs/node/commit/afad1f23a2)] - **deps**: copy all openssl header files to include dir (Shigeki Ohtsu) [#17526](https://github.com/nodejs/node/pull/17526)
* [[`9fdd3bddf5`](https://github.com/nodejs/node/commit/9fdd3bddf5)] - **deps**: upgrade openssl sources to 1.0.2n (Shigeki Ohtsu) [#17526](https://github.com/nodejs/node/pull/17526)
* [[`db09f245bf`](https://github.com/nodejs/node/commit/db09f245bf)] - **doc**: warn against filling buffer with invalid data (Anna Henningsen) [#17428](https://github.com/nodejs/node/pull/17428)
* [[`42f09ed461`](https://github.com/nodejs/node/commit/42f09ed461)] - **http2**: use correct connect event for TLS Socket (James M Snell) [#17328](https://github.com/nodejs/node/pull/17328)
* [[`aba3544b50`](https://github.com/nodejs/node/commit/aba3544b50)] - **http2**: use 'close' event instead of 'streamClosed' (James M Snell) [#17328](https://github.com/nodejs/node/pull/17328)
* [[`bd035d75bd`](https://github.com/nodejs/node/commit/bd035d75bd)] - **http2**: general cleanups in core.js (James M Snell) [#17209](https://github.com/nodejs/node/pull/17209)
* [[`a5e3ba2cb3`](https://github.com/nodejs/node/commit/a5e3ba2cb3)] - **http2**: major update to internals (James M Snell) [#17105](https://github.com/nodejs/node/pull/17105)
* [[`d7f37cebed`](https://github.com/nodejs/node/commit/d7f37cebed)] - **http2**: simplify subsequent rstStream calls (Anatoli Papirovski) [#16753](https://github.com/nodejs/node/pull/16753)
* [[`22ee960775`](https://github.com/nodejs/node/commit/22ee960775)] - **http2**: refactor multiple internals (James M Snell) [#16676](https://github.com/nodejs/node/pull/16676)
* [[`319beaf45b`](https://github.com/nodejs/node/commit/319beaf45b)] - **http2**: allocate on every chunk send (James M Snell) [#16669](https://github.com/nodejs/node/pull/16669)
* [[`7d68488524`](https://github.com/nodejs/node/commit/7d68488524)] - **openssl**: fix keypress requirement in apps on win32 (Shigeki Ohtsu) [iojs/io.js#1389](https://github.com/iojs/io.js/pull/1389)
* [[`8e8fac29de`](https://github.com/nodejs/node/commit/8e8fac29de)] - **src**: fix -Winconsistent-missing-override warning (Ben Noordhuis) [#16726](https://github.com/nodejs/node/pull/16726)
* [[`26b43c87ee`](https://github.com/nodejs/node/commit/26b43c87ee)] - **src**: add method to compute storage in WriteWrap (Anna Henningsen) [#16727](https://github.com/nodejs/node/pull/16727)
* [[`99d775ca07`](https://github.com/nodejs/node/commit/99d775ca07)] - **test**: fix flaky test-http2-create-client-connect (David Benjamin) [#16130](https://github.com/nodejs/node/pull/16130)

<a id="8.9.2"></a>
## 2017-12-05, Version 8.9.2 'Carbon' (LTS), @gibfahn

Expand Down

0 comments on commit 2ac4718

Please sign in to comment.