deps: upgrade to openssl 1.0.1q (v0.12) #4133
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contains fixes for: * CVE-2015-3194 Certificate verify crash with missing PSS parameter * CVE-2015-3195 X509_ATTRIBUTE memory leak
bnoordhuis
added
tls
|
LGTM if CI is happy. |
|
@bnoordhuis What to do for opensslconf.h change in openssl/openssl@98b9454 ? It is for sun and seems not be serious. But just confirmation. |
|
asm, header files and floating patches are fine. The remaining is only opensslconf.h |
mscdex
added
openssl
|
I forgot to commit that. New CI with opensslconf.h fix-up: https://ci.nodejs.org/job/node-test-pull-request/911/ |
|
I think node is not vulnerable to X509_ATTRIBUTE memory leak (CVE-2015-3195) because PKCS7/CMS is not supported in Node. |
|
LGTM if CI is fine. |
|
Is the fix of character encoding also necessary for 1.0.2e? I never had a warning noise of character encoding while I'm working on it. |
|
@shigeki bnoordhuis/io.js@353c7f8 is what the diff looks like for 1.0.2e. |
|
There seems nothing to be changed in my branch with your commit. Why difference happened? |
|
CI is fine. But this PR is against v0.12 not v0.12-staging. Which is a right branch to land? |
|
@shigeki land it in v0.12-staging, I'll pull from there. |
|
Okay, I will land this to v0.12-staging. |
bnoordhuis
added a commit
that referenced
this pull request
Dec 3, 2015
Contains fixes for: * CVE-2015-3194 Certificate verify crash with missing PSS parameter * CVE-2015-3195 X509_ATTRIBUTE memory leak fixup! character encoding noise fixup! update opensslconf.h PR-URL: #4133 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
|
Landed in 6ee1536 . Thanks. |
rvagg
added a commit
that referenced
this pull request
Dec 3, 2015
Security Update Notable items: * build: Add support for Microsoft Visual Studio 2015 * npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry (nodejs/Release#37). This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2. * openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133 PR-URL: nodejs-private/node-private#15
rvagg
added a commit
that referenced
this pull request
Dec 4, 2015
Security Update Notable items: * http: Fix a bug where an HTTP socket may no longer have a socket but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) * openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133 PR-URL: nodejs-private/node-private#13
rvagg
added a commit
to rvagg/io.js
that referenced
this pull request
Dec 4, 2015
Security Update Notable items: * build: Add support for Microsoft Visual Studio 2015 * npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry (nodejs/Release#37). This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2. * openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) nodejs#4133 PR-URL: nodejs-private/node-private#15
rvagg
added a commit
to rvagg/io.js
that referenced
this pull request
Dec 4, 2015
Security Update Notable items: * http: Fix a bug where an HTTP socket may no longer have a socket but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) * openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) nodejs#4133 PR-URL: nodejs-private/node-private#13
rvagg
added a commit
that referenced
this pull request
Dec 5, 2015
Security Update Notable items: * build: Add support for Microsoft Visual Studio 2015 * npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry (nodejs/Release#37). This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2. * openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133 PR-URL: nodejs-private/node-private#15
rvagg
added a commit
that referenced
this pull request
Dec 5, 2015
Security Update Notable items: * http: Fix a bug where an HTTP socket may no longer have a socket but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) * openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133 PR-URL: nodejs-private/node-private#13
scovetta
pushed a commit
to scovetta/node
that referenced
this pull request
Apr 2, 2016
Security Update Notable items: * build: Add support for Microsoft Visual Studio 2015 * npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry (nodejs/Release#37). This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2. * openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) nodejs#4133 PR-URL: nodejs-private/node-private#15
scovetta
pushed a commit
to scovetta/node
that referenced
this pull request
Apr 2, 2016
Security Update Notable items: * http: Fix a bug where an HTTP socket may no longer have a socket but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) * openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) nodejs#4133 PR-URL: nodejs-private/node-private#13
jBarz
pushed a commit
to ibmruntimes/node
that referenced
this pull request
Nov 4, 2016
Contains fixes for: * CVE-2015-3194 Certificate verify crash with missing PSS parameter * CVE-2015-3195 X509_ATTRIBUTE memory leak fixup! character encoding noise fixup! update opensslconf.h PR-URL: nodejs/node#4133 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
This was referenced Mar 18, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Contains fixes for:
(v0.12 is not affected by CVE-2015-3193 and CVE-2015-3196.)
OpenSSL did a character encoding fix-up that I've split off into a separate commit to keep down the noise in the main commit.
R=@nodejs/crypto
CI: https://ci.nodejs.org/job/node-test-pull-request/909/