Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update master changelog with recent releases #4157

Closed
wants to merge 5 commits into from

Conversation

rvagg
Copy link
Member

@rvagg rvagg commented Dec 4, 2015

Security Update

Notable items:

* build: Add support for Microsoft Visual Studio 2015
* npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as
  part of the strategy to get a version of npm into Node.js v0.10.x that
  works with the current registry
  (nodejs/Release#37). This version of npm prints
  out a banner each time it is run. The banner warns that the next
  standard release of Node.js v0.10.x will ship with a version of npm
  v2.
* openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194
  "Certificate verify crash with missing PSS parameter", a potential
  denial-of-service vector for Node.js TLS servers; TLS clients are also
  impacted. Details are available at
  <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis)
  nodejs#4133

PR-URL: nodejs-private/node-private#15
Security Update

Notable items:

* http: Fix a bug where an HTTP socket may no longer have a socket but a
  pipelined request triggers a pause or resume, a potential
  denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194
  "Certificate verify crash with missing PSS parameter", a potential
  denial-of-service vector for Node.js TLS servers; TLS clients are also
  impacted. Details are available at
  <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) nodejs#4133

PR-URL: nodejs-private/node-private#13
Security Update

Notable items:

* http: Fix a bug where an HTTP socket may no longer have a socket
  but a pipelined request triggers a pause or resume, a potential
  denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.2e, containing fixes for:
  - CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
    an attack is considered feasible against a Node.js TLS server using
    DHE key exchange. Details are available at
    <http://openssl.org/news/secadv/20151203.txt>.
  - CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
    a potential denial-of-service vector for Node.js TLS servers; TLS
    clients are also impacted. Details are available at
    <http://openssl.org/news/secadv/20151203.txt>.
  (Shigeki Ohtsu) nodejs#4134
* v8: Backport fixes for a bug in `JSON.stringify()` that can result
  in out-of-bounds reads for arrays. (Ben Noordhuis)

PR-URL: nodejs-private/node-private#12
Security Update

Notable items:

* **http**: Fix a bug where an HTTP socket may no longer have a socket
  but a pipelined request triggers a pause or resume, a potential
  denial-of-service vector. (Fedor Indutny)
* **openssl**: Upgrade to 1.0.2e, containing fixes for:
  - CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
    an attack is considered feasible against DH, an attack against RSA
    and DSA is considered possible but unlikely, EC algorithms are not
    affected. Details are available at
    <http://openssl.org/news/secadv/20151203.txt>.
  - CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
    a potential denial-of-service vector for Node.js TLS servers; TLS
    clients are also impacted. Details are available at
    <http://openssl.org/news/secadv/20151203.txt>.
  (Shigeki Ohtsu) nodejs#4134
* v8: Backport fixes for a bug in `JSON.stringify()` that can result
  in out-of-bounds reads for arrays. (Ben Noordhuis)

PR-URL: nodejs-private/node-private#11
* [78d256e7f5] - test: unmark tests that are no longer flaky (João Reis) https://github.com/nodejs/node-v0.x-archive/pull/25676
* [a9b642cf5b] - test: runner should return 0 on flaky tests (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25653
* [b48639befd] - test: support writing test output to file (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25653
* [caa16b41d6] - (SEMVER-MINOR) tls: prevent server from using dhe keys < 768 (Michael Dawson) https://github.com/nodejs/node/pull/3890
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is marked as semver-minor, but no minor version bump was made. I'm assuming that since this is for 0.12.x, we are not taking that into account as the versioning was different back then?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that's exactly it. Bumping to v0.13.x would likely be quite confusing at this point

@JungMinu JungMinu added the doc Issues and PRs related to the documentations. label Dec 4, 2015

### Notable changes

* **http**: Fix CVE-2015-8027, a bug whereby an HTTP socket may no longer have a parser associated with it but a pipelined request attempts trigger a pause or resume on the non-existent parser, a potential denial-of-service vulnerability. (Fedor Indutny)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I speculate that attempts trigger -> attempts to trigger
(sorry If I'm wrong)

@jasnell
Copy link
Member

jasnell commented Dec 4, 2015

LGTM with @JungMinu's comment addressed

@rvagg rvagg closed this Dec 5, 2015
@rvagg rvagg deleted the update-master-changelog branch December 5, 2015 04:39
@rvagg
Copy link
Member Author

rvagg commented Dec 5, 2015

thanks, fixed and landed @

ab009a0 2015-12-04, Version 5.1.1 (Stable)
e935a52 2015-12-04, Version 4.2.3 "Argon" (LTS) Release
07d8741 2015-12-04, Version 0.12.9 (Stable)
2c61b84 2015-12-04, Version 0.10.41 (Maintenance)
483016f 2015-11-25 Version 0.12.8 (LTS) Release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
doc Issues and PRs related to the documentations.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants