Release proposal: v0.12.10 (LTS) #5137
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Include reference to CVE-2015-8027 * Fix "socket may no longer have a socket" reference * Expand on non-existent parser causing the error * Clarify that CVE-2015-3194 affects TLS servers using _client certificate authentication_ PR-URL: #4154 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: James M Snell <[email protected]>
Backport the tools/install.py changes from 628a3ab that were missed when 6fb0b92 backported the corresponding changes to the Makefile to build the headers only archive. PR-URL: #4149 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Johan Bergström <[email protected]> Reviewed-By: Rod Vagg <[email protected]>
PR-URL: #4894 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Johan Bergström <[email protected]> Reviewed-By: James M Snell <[email protected]>
This replaces all sources of openssl-1.0.1r.tar.gz into deps/openssl/openssl PR-URL: #4967 Reviewed-By: Ben Noordhuis <[email protected]> deps: copy all openssl header files to include dir All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows. Two files of opensslconf.h in crypto and include dir are replaced to refer config/opensslconf.h. PR-URL: #4967 Reviewed-By: Ben Noordhuis <[email protected]> deps: separate sha256/sha512-x86_64.pl for openssl sha256-x86_64.pl does not exist in the origin openssl distribution. It was copied from sha512-x86_64.pl and both sha256/sha512 scripts were modified so as to generates only one asm file specified as its key hash length. PR: #9451 PR-URL: nodejs/node-v0.x-archive#9451 Reviewed-By: Julien Gilli <[email protected]> deps: fix openssl assembly error on ia32 win32 `x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and perhaps others) are requiring .686 . PR: #9451 PR-URL: nodejs/node-v0.x-archive#9451 Reviewed-By: Julien Gilli <[email protected]> openssl: fix keypress requirement in apps on win32 reapply b910613 PR: #9451 PR-URL: nodejs/node-v0.x-archive#9451 Reviewed-By: Julien Gilli <[email protected]> deps: add -no_rand_screen to openssl s_client In openssl s_client on Windows, RAND_screen() is invoked to initialize random state but it takes several seconds in each connection. This added -no_rand_screen to openssl s_client on Windows to skip RAND_screen() and gets a better performance in the unit test of test-tls-server-verify. Do not enable this except to use in the unit test. (cherry picked from commit 9f0f7c38e6df975dd39735d0e9ef968076369c74) Reviewed-By: James M Snell <[email protected]> PR-URL: nodejs/node-v0.x-archive#25368
Security Update Notable items:
mscdex
added
meta
We already set |
|
finished off in node-private and released |
This was referenced Apr 28, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Security release, to go out ~ Tuesday, the 9th of February, 11pm UTC with releases across all active lines as per https://groups.google.com/d/msg/nodejs-sec/G8IA0G4uA88/So3Cw84YDwAJ.
Commits so far:
352e3d8a65] - build: enable xz compressed tarballs where possible (Rod Vagg) #489486c737762e] - deps: upgrade openssl sources to 1.0.1r (Shigeki Ohtsu) joyent/node#253688f2db882bd] - doc: clarify v0.12.9 notable items (Rod Vagg) #41544f81d78ec9] - tools: backport tools/install.py for headers (Richard Lau) #4149Pending additions being worked on by the security team, I'll get everything else ready here and finish it off in our private repo. Still needs "Notable items" filled out for OpenSSL.
Commits still on
v0.12-stagingthat we'll have to get to in a v0.12.11 soon after this release:fbc8cd9bbd] - deps: backport 1f8555 from v8's upstream (Trevor Norris) #394516417cc75a] - domains: fix handling of uncaught exceptions (Julien Gilli) #38859abceadaeb] - node: fix leaking Context handle (Trevor Norris) #3945801f6ad8a3] - src: fix build error without OpenSSL support (Jörg Krause) #4201409f6a9d30] - src: use global SealHandleScope (Trevor Norris) #39451effbd7b65] - test: add test-domain-exit-dispose-again back (Julien Gilli) #4278d1ba82af1c] - test: fix test-domain-exit-dispose-again (Julien Gilli) #3991Trying not to include non-security and non-build changes in this release to minimise impact to users (well, minimise their perceived impact at least).