Showing 393 changed files with 82,965 additions and 5,545 deletions.
3 AUTHORS
View file
@@ -515,3 +515,6 @@ Kevin Simper <kevin.simper@gmail.com>
Jackson Tian <shyvo1987@gmail.com>
Tristan Berger <tristan.berger@gmail.com>
Mathias Schreck <schreck.mathias@googlemail.com>
Calvin Metcalf <cmetcalf@appgeo.com>
Matthew Fitzsimmons <matt@fitzage.com>
Swaagie <info@martijnswaagman.nl>
23 ChangeLog
View file
@@ -1,4 +1,25 @@
2014.09.16, Version 0.10.32 (Stable)
2014.10.20, Version 0.10.33 (Stable)

* openssl: Update to 1.0.1j (Addressing multiple CVEs)

* uv: Update to v0.10.29

* child_process: properly support optional args (cjihrig)

* crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny,
Timothy J Fontaine, Alexis Campailla)

This is a behavior change, by default we will not allow the negotiation to
SSLv2 or SSLv3. If you want this behavior, run Node.js with either
`--enable-ssl2` or `--enable-ssl3` respectively.

This does not change the behavior for users specifically requesting
`SSLv2_method` or `SSLv3_method`. While this behavior is not advised, it is
assumed you know what you're doing since you're specifically asking to use
these methods.


2014.09.16, Version 0.10.32 (Stable), 0fe0d121551593c23a565db8397f85f17bb0f00e

* npm: Update to 1.4.28

9 LICENSE
View file
@@ -294,9 +294,9 @@ maintained libraries. The externally maintained libraries used by Node are:
- Zlib at deps/zlib. zlib's license follows:
"""
/* zlib.h -- interface of the 'zlib' general purpose compression library
version 1.2.4, March 14th, 2010
version 1.2.8, April 28th, 2013

Copyright (C) 1995-2010 Jean-loup Gailly and Mark Adler
Copyright (C) 1995-2013 Jean-loup Gailly and Mark Adler

This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
@@ -314,9 +314,8 @@ maintained libraries. The externally maintained libraries used by Node are:
misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.

Jean-loup Gailly
Mark Adler

Jean-loup Gailly Mark Adler
jloup@gzip.org madler@alumni.caltech.edu
*/
"""

13 Makefile
View file
@@ -146,6 +146,9 @@ website_files = \

doc: $(apidoc_dirs) $(website_files) $(apiassets) $(apidocs) tools/doc/ out/doc/changelog.html node

doc-branch: NODE_DOC_VERSION = v$(shell $(PYTHON) tools/getnodeversion.py | cut -f1,2 -d.)
doc-branch: doc

$(apidoc_dirs):
mkdir -p $@

@@ -159,10 +162,10 @@ out/doc/%: doc/%
cp -r $< $@

out/doc/api/%.json: doc/api/%.markdown node
out/Release/node tools/doc/generate.js --format=json $< > $@
NODE_DOC_VERSION=$(NODE_DOC_VERSION) out/Release/node tools/doc/generate.js --format=json $< > $@

out/doc/api/%.html: doc/api/%.markdown node
out/Release/node tools/doc/generate.js --format=html --template=doc/template.html $< > $@
NODE_DOC_VERSION=$(NODE_DOC_VERSION) out/Release/node tools/doc/generate.js --format=html --template=doc/template.html $< > $@

email.md: ChangeLog tools/email-footer.md
bash tools/changelog-head.sh | sed 's|^\* #|* \\#|g' > $@
@@ -181,6 +184,11 @@ website-upload: doc
rm -f ~/web/nodejs.org/dist/node-latest.tar.gz &&\
ln -s $(VERSION)/node-$(VERSION).tar.gz ~/web/nodejs.org/dist/node-latest.tar.gz'

doc-branch-upload: NODE_DOC_VERSION = v$(shell $(PYTHON) tools/getnodeversion.py | cut -f1,2 -d.)
doc-branch-upload: doc-branch
echo $(NODE_DOC_VERSION)
rsync -r out/doc/api/ node@nodejs.org:~/web/nodejs.org/$(NODE_DOC_VERSION)

docopen: out/doc/api/all.html
-google-chrome out/doc/api/all.html

@@ -189,6 +197,7 @@ docclean:

RAWVER=$(shell $(PYTHON) tools/getnodeversion.py)
VERSION=v$(RAWVER)
NODE_DOC_VERSION=$(VERSION)
RELEASE=$(shell $(PYTHON) tools/getnodeisrelease.py)
PLATFORM=$(shell uname | tr '[:upper:]' '[:lower:]')
ifeq ($(findstring x86_64,$(shell uname -m)),x86_64)
16 configure
View file
@@ -112,10 +112,15 @@ parser.add_option("--systemtap-includes",
dest="systemtap_includes",
help=optparse.SUPPRESS_HELP)

parser.add_option("--no-ssl2",
parser.add_option("--without-ssl2",
action="store_true",
dest="no_ssl2",
help="Disable OpenSSL v2")
dest="ssl2",
help="Disable SSL v2")

parser.add_option("--without-ssl3",
action="store_true",
dest="ssl3",
help="Disable SSL v3")

parser.add_option("--shared-zlib",
action="store_true",
@@ -620,9 +625,12 @@ def configure_openssl(o):
if options.without_ssl:
return

if options.no_ssl2:
if options.ssl2:
o['defines'] += ['OPENSSL_NO_SSL2=1']

if options.ssl3:
o['defines'] += ['OPENSSL_NO_SSL3=1']

if options.shared_openssl:
(libs, cflags) = pkg_config('openssl') or ('-lssl -lcrypto', '')

43 deps/openssl/asm/x64-win32-masm/aes/aesni-x86_64.asm
View file
@@ -454,6 +454,12 @@ $L$SEH_begin_aesni_ecb_encrypt::
mov r8,QWORD PTR[40+rsp]


lea rsp,QWORD PTR[((-88))+rsp]
movaps XMMWORD PTR[rsp],xmm6
movaps XMMWORD PTR[16+rsp],xmm7
movaps XMMWORD PTR[32+rsp],xmm8
movaps XMMWORD PTR[48+rsp],xmm9
$L$ecb_enc_body::
and rdx,-16
jz $L$ecb_ret

@@ -752,6 +758,12 @@ $L$ecb_dec_six::
movups XMMWORD PTR[80+rsi],xmm7

$L$ecb_ret::
movaps xmm6,XMMWORD PTR[rsp]
movaps xmm7,XMMWORD PTR[16+rsp]
movaps xmm8,XMMWORD PTR[32+rsp]
movaps xmm9,XMMWORD PTR[48+rsp]
lea rsp,QWORD PTR[88+rsp]
$L$ecb_enc_ret::
mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue
mov rsi,QWORD PTR[16+rsp]
DB 0F3h,0C3h ;repret
@@ -2766,26 +2778,7 @@ ALIGN 64
EXTERN __imp_RtlVirtualUnwind:NEAR

ALIGN 16
ecb_se_handler PROC PRIVATE
push rsi
push rdi
push rbx
push rbp
push r12
push r13
push r14
push r15
pushfq
sub rsp,64

mov rax,QWORD PTR[152+r8]

jmp $L$common_seh_tail
ecb_se_handler ENDP


ALIGN 16
ccm64_se_handler PROC PRIVATE
ecb_ccm64_se_handler PROC PRIVATE
push rsi
push rdi
push rbx
@@ -2823,7 +2816,7 @@ ccm64_se_handler PROC PRIVATE
lea rax,QWORD PTR[88+rax]

jmp $L$common_seh_tail
ccm64_se_handler ENDP
ecb_ccm64_se_handler ENDP


ALIGN 16
@@ -3026,15 +3019,17 @@ ALIGN 4
ALIGN 8
$L$SEH_info_ecb::
DB 9,0,0,0
DD imagerel ecb_se_handler
DD imagerel ecb_ccm64_se_handler
DD imagerel $L$ecb_enc_body,imagerel $L$ecb_enc_ret

$L$SEH_info_ccm64_enc::
DB 9,0,0,0
DD imagerel ccm64_se_handler
DD imagerel ecb_ccm64_se_handler
DD imagerel $L$ccm64_enc_body,imagerel $L$ccm64_enc_ret

$L$SEH_info_ccm64_dec::
DB 9,0,0,0
DD imagerel ccm64_se_handler
DD imagerel ecb_ccm64_se_handler
DD imagerel $L$ccm64_dec_body,imagerel $L$ccm64_dec_ret

$L$SEH_info_ctr32::
51 deps/openssl/openssl/CHANGES
View file
@@ -2,6 +2,57 @@
OpenSSL CHANGES
_______________

Changes between 1.0.1i and 1.0.1j [15 Oct 2014]

*) SRTP Memory Leak.

A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL_NO_SRTP defined are not affected.

The fix was developed by the OpenSSL team.
(CVE-2014-3513)
[OpenSSL team]

*) Session Ticket Memory Leak.

When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
(CVE-2014-3567)
[Steve Henson]

*) Build option no-ssl3 is incomplete.

When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
(CVE-2014-3568)
[Akamai and the OpenSSL team]

*) Add support for TLS_FALLBACK_SCSV.
Client applications doing fallback retries should call
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
(CVE-2014-3566)
[Adam Langley, Bodo Moeller]

*) Add additional DigestInfo checks.

Reencode DigestInto in DER and check against the original when
verifying RSA signature: this will reject any improperly encoded
DigestInfo structures.

Note: this is a precautionary measure and no attacks are currently known.

[Steve Henson]

Changes between 1.0.1h and 1.0.1i [6 Aug 2014]

*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
6 deps/openssl/openssl/Configure
View file
@@ -1767,6 +1767,9 @@ open(OUT,'>crypto/opensslconf.h.new') || die "unable to create crypto/opensslcon
print OUT "/* opensslconf.h */\n";
print OUT "/* WARNING: Generated automatically from opensslconf.h.in by Configure. */\n\n";

print OUT "#ifdef __cplusplus\n";
print OUT "extern \"C\" {\n";
print OUT "#endif\n";
print OUT "/* OpenSSL was configured with the following options: */\n";
my $openssl_algorithm_defines_trans = $openssl_algorithm_defines;
$openssl_experimental_defines =~ s/^\s*#\s*define\s+OPENSSL_NO_(.*)/#ifndef OPENSSL_EXPERIMENTAL_$1\n# ifndef OPENSSL_NO_$1\n# define OPENSSL_NO_$1\n# endif\n#endif/mg;
@@ -1871,6 +1874,9 @@ while (<IN>)
{ print OUT $_; }
}
close(IN);
print OUT "#ifdef __cplusplus\n";
print OUT "}\n";
print OUT "#endif\n";
close(OUT);
rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
2 deps/openssl/openssl/Makefile
View file
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##

VERSION=1.0.1i
VERSION=1.0.1j
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
2 deps/openssl/openssl/Makefile.bak
View file
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##

VERSION=1.0.1i-dev
VERSION=1.0.1j-dev
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
7 deps/openssl/openssl/NEWS
View file
@@ -5,6 +5,13 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.

Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]

o Fix for CVE-2014-3513
o Fix for CVE-2014-3567
o Mitigation for CVE-2014-3566 (SSL protocol vulnerability)
o Fix for CVE-2014-3568

Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014]

o Fix for CVE-2014-3512
2 deps/openssl/openssl/README
View file
@@ -1,5 +1,5 @@

OpenSSL 1.0.1i 6 Aug 2014
OpenSSL 1.0.1j 15 Oct 2014

Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
21 deps/openssl/openssl/apps/makeapps.com
View file
@@ -773,9 +773,12 @@ $ CCDEFS = "MONOLITH"
$ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
$ CCEXTRAFLAGS = ""
$ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
$ CCDISABLEWARNINGS = "" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
$ CCDISABLEWARNINGS = "" !!! "MAYLOSEDATA3" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. ""
$ THEN
$ IF CCDISABLEWARNINGS .NES. "" THEN CCDISABLEWARNINGS = CCDISABLEWARNINGS + ","
$ CCDISABLEWARNINGS = CCDISABLEWARNINGS + USER_CCDISABLEWARNINGS
$ ENDIF
$!
$! Check To See If We Have A ZLIB Option.
$!
@@ -1064,6 +1067,18 @@ $! Finish up the definition of CC.
$!
$ IF COMPILER .EQS. "DECC"
$ THEN
$! Not all compiler versions support MAYLOSEDATA3.
$ OPT_TEST = "MAYLOSEDATA3"
$ DEFINE /USER_MODE SYS$ERROR NL:
$ DEFINE /USER_MODE SYS$OUTPUT NL:
$ 'CC' /NOCROSS_REFERENCE /NOLIST /NOOBJECT -
/WARNINGS = DISABLE = ('OPT_TEST', EMPTYFILE) NL:
$ IF ($SEVERITY)
$ THEN
$ IF CCDISABLEWARNINGS .NES. "" THEN -
CCDISABLEWARNINGS = CCDISABLEWARNINGS+ ","
$ CCDISABLEWARNINGS = CCDISABLEWARNINGS+ OPT_TEST
$ ENDIF
$ IF CCDISABLEWARNINGS .NES. ""
$ THEN
$ CCDISABLEWARNINGS = " /WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"