Skip to content
Permalink
Branch: master
Commits on Mar 12, 2019
  1. deps,tools: include SipHash in LICENSE

    rvagg committed Mar 1, 2019
    PR-URL: #26367
    Refs: #23259
    Refs: https://darksi.de/12.hashwick-v8-vulnerability/
    Reviewed-By: Gus Caplan <me@gus.host>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Refael Ackermann <refack@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Yang Guo <yangguo@chromium.org>
    Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
  2. build: enable v8's siphash for hash seed creation

    rvagg committed Mar 1, 2019
    Triggers the V8_USE_SIPHASH to switch from the internal custom V8
    hash seed generation function to an implementation of SipHash. Final
    step needed to clear up HashWick.
    
    PR-URL: #26367
    Refs: #23259
    Refs: https://darksi.de/12.hashwick-v8-vulnerability/
    Reviewed-By: Gus Caplan <me@gus.host>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Refael Ackermann <refack@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Yang Guo <yangguo@chromium.org>
    Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Commits on Feb 28, 2019
  1. 2019-02-28, Version 6.17.0 'Boron' (LTS)

    rvagg committed Feb 28, 2019
    This is a security release. All Node.js users should consult the security
    release summary at:
    
      https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
    
    for details on patched vulnerabilities.
    
    Fixes for the following CVEs are included in this release:
    
      * Node.js: Denial of Service with keep-alive HTTP connections
        (CVE-2019-5739)
      * Node.js: Slowloris HTTP Denial of Service with keep-alive
        (CVE-2019-5737)
      * OpenSSL: 0-byte record padding oracle (CVE-2019-1559)
    
    Notable Changes:
    
    * deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
      CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
      certain circumstances, a TLS server can be forced to respond differently to
      a client if a zero-byte record is received with an invalid padding
      compared to a zero-byte record with an invalid MAC. This can be used as the
      basis of a padding oracle attack to decrypt data.
    * http:
      - Backport `server.keepAliveTimeout` to prevent keep-alive HTTP and HTTPS
        connections remaining open and inactive for an extended period of time,
        leading to a potential Denial of Service (DoS).
        (CVE-2019-5739 / Timur Shemsedinov, Matteo Collina)
      - Further prevention of "Slowloris" attacks on HTTP and HTTPS
        connections by consistently applying the receive timeout set by
        `server.headersTimeout` to connections in keep-alive mode. Reported by
        Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
    
    PR-URL: nodejs-private/node-private#169
  2. 2019-02-28, Version 8.15.1 'Carbon' (LTS)

    rvagg committed Feb 28, 2019
    This is a security release. All Node.js users should consult the security
    release summary at:
    
      https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
    
    for details on patched vulnerabilities.
    
    Fixes for the following CVEs are included in this release:
    
      * Node.js: Slowloris HTTP Denial of Service with keep-alive
        (CVE-2019-5737)
      * OpenSSL: 0-byte record padding oracle (CVE-2019-1559)
    
    Notable Changes:
    
    * deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
      CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
      certain circumstances, a TLS server can be forced to respond differently to
      a client if a zero-byte record is received with an invalid padding
      compared to a zero-byte record with an invalid MAC. This can be used as the
      basis of a padding oracle attack to decrypt data.
    * http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
      connections by consistently applying the receive timeout set by
      `server.headersTimeout` to connections in keep-alive mode. Reported by
      Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
    
    PR-URL: nodejs-private/node-private#165
  3. 2019-02-28, Version 10.15.2 'Dubnium' (LTS)

    rvagg committed Feb 28, 2019
    This is a security release. All Node.js users should consult the security
    release summary at:
    
      https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
    
    for details on patched vulnerabilities.
    
    A fix for the following CVE is included in this release:
    
      * Node.js: Slowloris HTTP Denial of Service with keep-alive
        (CVE-2019-5737)
    
    Notable Changes:
    
    * http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
      connections by consistently applying the receive timeout set by
      `server.headersTimeout` to connections in keep-alive mode. Reported by
      Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
    
    PR-URL: nodejs-private/node-private#164
  4. 2019-02-28, Version 11.10.1 (Current)

    rvagg committed Feb 28, 2019
    This is a security release. All Node.js users should consult the security
    release summary at:
    
      https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
    
    for details on patched vulnerabilities.
    
    A fix for the following CVE is included in this release:
    
      * Node.js: Slowloris HTTP Denial of Service with keep-alive
        (CVE-2019-5737)
    
    Notable Changes:
    
    * http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
      connections by consistently applying the receive timeout set by
      `server.headersTimeout` to connections in keep-alive mode. Reported by
      Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
    
    PR-URL: nodejs-private/node-private#163
Commits on Dec 5, 2018
  1. build: fix check-xz for platforms defaulting to sh

    rvagg authored and Trott committed Dec 4, 2018
    5e80a9a introduced check-xz, using `[[ .. ]]` syntax, but this is a
    bash builtin and some platforms default to `sh` when doing
    `$(shell ...)` in Makefiles.
    
    Fix is to make it sh friendly.
    
    Ref: #24551
    
    PR-URL: #24841
    Refs: #24551
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Commits on Dec 4, 2018
  1. build: make tar.xz creation opt-out, fail if no xz

    rvagg authored and Trott committed Nov 21, 2018
    PR-URL: #24551
    Reviewed-By: Refael Ackermann <refack@gmail.com>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Commits on Dec 3, 2018
  1. 2018-12-03, Version 6.15.1 'Boron' (LTS)

    rvagg committed Dec 3, 2018
    Notable Changes:
    
    This is a patch release to address a bad backport of the fix for "Slowloris
    HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
    timeout to an entire keep-alive HTTP session, resulting in prematurely
    disconnected sockets.
    
    PR-URL: #24803
    Refs: #24796
    Refs: #24760
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Commits on Dec 1, 2018
  1. tools: don't use GH API for commit message checks

    rvagg authored and Trott committed Nov 23, 2018
    Fixes: #24567
    
    PR-URL: #24574
    Reviewed-By: Refael Ackermann <refack@gmail.com>
    Reviewed-By: Gus Caplan <me@gus.host>
    Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
  2. tools: only sign release if promotion successful

    rvagg authored and Trott committed Nov 27, 2018
    Ref: nodejs/build#1596
    
    PR-URL: #24669
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Rich Trott <rtrott@gmail.com>
  3. tools: check for git tag before promoting release

    rvagg authored and Trott committed Nov 27, 2018
    PR-URL: #24670
    Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
Commits on Nov 28, 2018
  1. build: only check REPLACEME & DEP...X for releases

    rvagg committed May 11, 2017
    PR-URL: #24575
    Refs: #24551
    Refs: #12958
    Refs: #12957
    Refs: #8325
    Reviewed-By: Refael Ackermann <refack@gmail.com>
    Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
  2. 2018-11-27, Version 11.3.0 (Current)

    rvagg committed Nov 25, 2018
    This is a security release. All Node.js users should consult the security
    release summary at:
    
    https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
    
    for details on patched vulnerabilities.
    
    Fixes for the following CVEs are included in this release:
    
      * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
      * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
      * Node.js: Hostname spoofing in URL parser for javascript protocol
        (CVE-2018-12123)
      * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
      * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
    
    Notable Changes:
    
    * deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
    * http:
      * Headers received by HTTP servers must not exceed 8192 bytes in total to
        prevent possible Denial of Service attacks. Reported by Trevor Norris.
        (CVE-2018-12121 / Matteo Collina)
      * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
        value can be adjusted with `server.headersTimeout`. Where headers are not
        completely received within this period, the socket is destroyed on the next
        received chunk. In conjunction with `server.setTimeout()`, this aids in
        protecting against excessive resource retention and possible Denial of
        Service. Reported by Jan Maybach (liebdich.com).
    * url: Fix a bug that would allow a hostname being spoofed when parsing URLs
      with `url.parse()` with the `'javascript:'` protocol. Reported by
      Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
    
    PR-URL: nodejs-private/node-private#156
  3. 2018-11-27, Version 10.14.0 'Dubnium' (LTS)

    rvagg committed Nov 25, 2018
    This is a security release. All Node.js users should consult the security
    release summary at:
    
      https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
    
    for details on patched vulnerabilities.
    
    Fixes for the following CVEs are included in this release:
    
      * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
      * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
      * Node.js: Hostname spoofing in URL parser for javascript protocol
        (CVE-2018-12123)
      * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
      * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
    
    Notable Changes:
    
    * deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
    * http:
      * Headers received by HTTP servers must not exceed 8192 bytes in total to
        prevent possible Denial of Service attacks. Reported by Trevor Norris.
        (CVE-2018-12121 / Matteo Collina)
      * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
        value can be adjusted with `server.headersTimeout`. Where headers are not
        completely received within this period, the socket is destroyed on the next
        received chunk. In conjunction with `server.setTimeout()`, this aids in
        protecting against excessive resource retention and possible Denial of
        Service. Reported by Jan Maybach (liebdich.com).
    * url: Fix a bug that would allow a hostname being spoofed when parsing URLs
      with `url.parse()` with the `'javascript:'` protocol. Reported by
      Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
    
    PR-URL: nodejs-private/node-private#155
  4. 2018-11-27, Version 8.14.0 'Carbon' (LTS)

    rvagg committed Nov 25, 2018
    This is a security release. All Node.js users should consult the security
    release summary at:
    
      https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
    
    for details on patched vulnerabilities.
    
    Fixes for the following CVEs are included in this release:
    
      * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
      * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
      * Node.js: Hostname spoofing in URL parser for javascript protocol
        (CVE-2018-12123)
      * Node.js: HTTP request splitting (CVE-2018-12116)
      * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
      * OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
        (CVE-2018-5407)
    
    Notable Changes:
    
    * deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
    * http:
      * Headers received by HTTP servers must not exceed 8192 bytes in total to
        prevent possible Denial of Service attacks. Reported by Trevor Norris.
        (CVE-2018-12121 / Matteo Collina)
      * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
        value can be adjusted with `server.headersTimeout`. Where headers are not
        completely received within this period, the socket is destroyed on the next
        received chunk. In conjunction with `server.setTimeout()`, this aids in
        protecting against excessive resource retention and possible Denial of
        Service. Reported by Jan Maybach (liebdich.com).
      * Two-byte characters are now strictly disallowed for the `path` option in
        HTTP client requests. Paths containing characters outside of the range
        `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
        can be reverted if necessary by supplying the
        `--security-revert=CVE-2018-12116` command line argument (this is not
        recommended). Reported as security concern for Node.js 6 and 8 by
        Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
        Fünfstück applied to Node.js 10 and later.
        (CVE-2018-12116 / Matteo Collina)
    * url: Fix a bug that would allow a hostname being spoofed when parsing URLs
      with `url.parse()` with the `'javascript:'` protocol. Reported by
      Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
    
    PR-URL: nodejs-private/node-private#154
  5. 2018-11-27, Version 6.15.0 'Boron' (LTS)

    rvagg committed Nov 24, 2018
    This is a security release. All Node.js users should consult the security
    release summary at:
    
      https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
    
    for details on patched vulnerabilities.
    
    Fixes for the following CVEs are included in this release:
    
      * Node.js: Debugger port 5858 listens on any interface by default
        (CVE-2018-12120)
      * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
      * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
      * Node.js: Hostname spoofing in URL parser for javascript protocol
        (CVE-2018-12123)
      * Node.js: HTTP request splitting (CVE-2018-12116)
      * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
      * OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
        (CVE-2018-5407)
    
    Notable Changes:
    
    * debugger: Backport of #8106 to
      prevent the debugger from listening on `0.0.0.0`. It now defaults to
      `127.0.0.1`. Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis).
    * deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
    * http:
      * Headers received by HTTP servers must not exceed 8192 bytes in total to
        prevent possible Denial of Service attacks. Reported by Trevor Norris.
        (CVE-2018-12121 / Matteo Collina)
      * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
        value can be adjusted with `server.headersTimeout`. Where headers are not
        completely received within this period, the socket is destroyed on the next
        received chunk. In conjunction with `server.setTimeout()`, this aids in
        protecting against excessive resource retention and possible Denial of
        Service. Reported by Jan Maybach (liebdich.com).
        (CVE-2018-12122 / Matteo Collina)
      * Two-byte characters are now strictly disallowed for the `path` option in
        HTTP client requests. Paths containing characters outside of the range
        `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
        can be reverted if necessary by supplying the
        `--security-revert=CVE-2018-12116` command line argument (this is not
        recommended). Reported as security concern for Node.js 6 and 8 by
        Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
        Fünfstück applied to Node.js 10 and later.
        (CVE-2018-12116 / Matteo Collina)
    * url: Fix a bug that would allow a hostname being spoofed when parsing
      URLs with `url.parse()` with the `'javascript:'` protocol. Reported by
      Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
    
    PR-URL: nodejs-private/node-private#153
  6. http: reset headers_nread_ on llhttp parser reuse

    rvagg committed Nov 27, 2018
    PR-URL: nodejs-private/node-private#149
    Reviewed-By: Fedor Indutny <fedor@indutny.com>
  7. deps,http: llhttp set max header size to 8KB

    rvagg committed Nov 14, 2018
    CVE-2018-12121
    
    As per nodejs-private/node-private#149 for http_parse but for llhttp
    
    Ref: nodejs-private/node-private#143
    PR-URL: nodejs-private/node-private#149
    Reviewed-By: Matteo Collina <hello@matteocollina.com>
Commits on Nov 17, 2018
  1. deps: float 26d7fce1 from openssl

    rvagg authored and danbev committed Nov 14, 2018
    The fix for CVE-2018-0734, floated in 213c7d2, failed to include a
    constant-time calculation for one of the variables. This introduces
    a fix for that.
    
    Upstream: openssl/openssl@26d7fce
    
    Original commit message:
      Add a constant time flag to one of the bignums to avoid a timing leak.
    
      Reviewed-by: Tim Hudson <tjh@openssl.org>
      (Merged from openssl/openssl#7549)
    
      (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)
    
    PR-URL: #24353
    Refs: openssl/openssl#7549
    Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
    Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Commits on Nov 12, 2018
  1. doc: update fs.open() changes record for optional 'flags'

    rvagg authored and Trott committed Nov 8, 2018
    Was missed on original PR.
    
    Ref: #23767
    
    PR-URL: #24240
    Refs: #23767
    Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
Commits on Nov 4, 2018
  1. deps: float 99540ec from openssl (CVE-2018-0735)

    rvagg authored and Trott committed Oct 29, 2018
    Low severity timing vulnerability in ECDSA signature generation
    
    Publicly disclosed but unreleased, pending OpenSSL 1.1.0j
    
    Also includes trivial syntax fix from
    openssl/openssl#7516
    
    Ref: https://www.openssl.org/news/secadv/20181029.txt
    Ref: openssl/openssl#7486
    PR-URL: https://github.com/nodejs/node/pull/???
    Upstream: openssl/openssl@99540ec
    
    Original commit message:
    
        Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
    
        Preallocate an extra limb for some of the big numbers to avoid a reallocation
        that can potentially provide a side channel.
    
        Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
        (Merged from openssl/openssl#7486)
    
    PR-URL: #23950
    Refs: https://www.openssl.org/news/secadv/20181029.txt
    Refs: openssl/openssl#7486
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Tobias Nießen <tniessen@tnie.de>
    Reviewed-By: James M Snell <jasnell@gmail.com>
  2. deps: float a9cfb8c2 from openssl (CVE-2018-0734)

    rvagg authored and Trott committed Oct 30, 2018
    Low severity timing vulnerability in the DSA signature algorithm
    
    Publicly disclosed but unreleased, pending OpenSSL 1.1.0j
    
    Ref: openssl/openssl#7486
    Ref: https://www.openssl.org/news/secadv/20181030.txt
    PR-URL: https://github.com/nodejs/node/pull/???
    Upstream: openssl/openssl@a9cfb8c
    
    Original commit message:
    
        Avoid a timing attack that leaks information via a side channel that
        triggers when a BN is resized.  Increasing the size of the BNs
        prior to doing anything with them suppresses the attack.
    
        Thanks due to Samuel Weiser for finding and locating this.
    
        Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
        (Merged from openssl/openssl#7486)
    
    PR-URL: #23965
    Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
    Reviewed-By: Tobias Nießen <tniessen@tnie.de>
    Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
  3. deps: float 415c3356 from openssl (DSA vulnerability)

    rvagg authored and Trott committed Oct 30, 2018
    Low severity timing vulnerability in the DSA signature algorithm
    
    Publicly disclosed but unreleased, pending OpenSSL 1.1.0j, not deemed
    severe enough to be assigned a CVE #.
    
    Ref: openssl/openssl#7487
    PR-URL: https://github.com/nodejs/node/pull/???
    Upstream: openssl/openssl@415c335
    
    Original commit message:
    
        DSA mod inverse fix
    
        There is a side channel attack against the division used to calculate one of
        the modulo inverses in the DSA algorithm.  This change takes advantage of the
        primality of the modulo and Fermat's little theorem to calculate the inverse
        without leaking information.
    
        Thanks to Samuel Weiser for finding and reporting this.
    
        Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
        Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
        (Merged from openssl/openssl#7487)
    
    PR-URL: #23965
    Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
    Reviewed-By: Tobias Nießen <tniessen@tnie.de>
    Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
Commits on Oct 30, 2018
  1. doc: remove "idiomatic choice" from queueMicrotask

    rvagg committed Oct 25, 2018
    It can't be idiomatic if it's not in general use and therefore hasn't
    been picked up by users. It's not even in browsers yet.
    
    "Idiomatic" use is an emergent property that comes from observed use
    and this feature is so new (to browsers and Node) that it can't
    possibly be. In general I don't think it's the place of the Node API
    docs to observe what emerges as idiomatic Node.js.
    
    It also can't be a recommended feature (if that was the intent of the
    language) because it's marked experimental. For now, it's just a
    feature, nothing more. Recommendations and/or observations about it
    being 'idiomatic' can come later.
    
    PR-URL: #23885
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
    Reviewed-By: Matheus Marchini <mat@mmarchini.me>
    Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
    Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Commits on Aug 16, 2018
  1. buffer: avoid overrun on UCS-2 string write

    rvagg committed Aug 14, 2018
    CVE-2018-12115
    Discovered by ChALkeR - Сковорода Никита Андреевич
    Fix by Anna Henningsen
    
    Writing to the second-to-last byte with UCS-2 encoding will cause a -1
    length to be send to String::Write(), writing all of the provided Buffer
    from that point and beyond.
    
    Fixes: nodejs-private/security#203
    PR-URL: nodejs-private/node-private#138
  2. 2018-08-15, Version 10.9.0 (Current)

    rvagg committed Aug 13, 2018
    Notable changes:
    
    * buffer:
      * Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
        (CVE-2018-12115)
      * Fix unintentional exposure of uninitialized memory in `Buffer.alloc()`
        (CVE-2018-7166)
    * deps:
      * Upgrade to OpenSSL 1.1.0i, fixing:
        - Client DoS due to large DH parameter (CVE-2018-0732)
        - ECDSA key extraction via local side-channel (CVE not assigned)
      * Upgrade V8 from 6.7 to 6.8 (Michaël Zasso) #21079
        - Memory reduction and performance improvements, details at:
          https://v8project.blogspot.com/2018/06/v8-release-68.html
    * http: `http.get()` and `http.request()` (and `https` variants) can now accept
      three arguments to allow for a `URL` _and_ an `options` object
      (Sam Ruby) #21616
    * Added new collaborators
      * Sam Ruby (https://github.com/rubys)
      * George Adams (https://github.com/gdams)
  3. 2018-08-15, Version 8.11.4 'Carbon' (LTS)

    rvagg committed Aug 15, 2018
    This is a security release. All Node.js users should consult the
    security release summary at:
    
      https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
    
    for details on patched vulnerabilities.
    
    Fixes for the following CVEs are included in this release:
    
      * CVE-2018-0732 (OpenSSL)
      * CVE-2018-12115 (Node.js)
    
    Notable changes:
    
    * buffer: Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
      (CVE-2018-12115)
    * deps: Upgrade to OpenSSL 1.0.2p, fixing:
      * Client DoS due to large DH parameter (CVE-2018-0732)
      * ECDSA key extraction via local side-channel (CVE not assigned)
  4. 2018-08-15, Version 6.14.4 'Boron' (LTS)

    rvagg committed Aug 15, 2018
    This is a security release. All Node.js users should consult the
    security release summary at:
    
      https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
    
    for details on patched vulnerabilities.
    
    Fixes for the following CVEs are included in this release:
    
      * CVE-2018-0732 (OpenSSL)
      * CVE-2018-12115 (Node.js)
    
    Notable changes:
    
    * buffer: Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
      (CVE-2018-12115)
    * deps: Upgrade to OpenSSL 1.0.2p, fixing:
      * Client DoS due to large DH parameter (CVE-2018-0732)
      * ECDSA key extraction via local side-channel (CVE not assigned)
Commits on Jun 25, 2018
  1. deps: float 0c27d793 from openssl (ECDSA blinding)

    rvagg authored and apapirovski committed Jun 15, 2018
    Pending OpenSSL 1.1.0i release.
    
    Refs: https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
    PR-URL: #21345
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Upstream: openssl/openssl@0c27d79
    
    Original commit message:
        Add blinding to an ECDSA signature
    
        Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
        ECDSA signature operation. During signing the signer calculates:
    
        s:= k^-1 * (m + r * priv_key) mod order
    
        The addition operation above provides a sufficient signal for a
        flush+reload attack to derive the private key given sufficient signature
        operations.
    
        As a mitigation (based on a suggestion from Keegan) we add blinding to
        the operation so that:
    
        s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
    
        Since this attack is a localhost side channel only no CVE is assigned.
    
        Reviewed-by: Rich Salz <rsalz@openssl.org>
Commits on Jun 15, 2018
  1. deps: float ea7abee from openssl / CVE-2018-0732

    rvagg committed Jun 12, 2018
    Pending OpenSSL 1.1.0i release.
    
    PR-URL: #21282
    Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Upstream: openssl/openssl@ea7abee
    
    Original commit message:
    
        Reject excessively large primes in DH key generation.
    
        CVE-2018-0732
    
        Signed-off-by: Guido Vranken <guidovranken@gmail.com>
    
        (cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
    
        Reviewed-by: Tim Hudson <tjh@openssl.org>
        Reviewed-by: Matt Caswell <matt@openssl.org>
        (Merged from openssl/openssl#6457)
Commits on Apr 23, 2018
  1. build: require --openssl-no-asm if old assembler

    rvagg authored and jasnell committed Apr 23, 2018
    PR-URL: #20226
    Fixes: #19944
    Refs: #20217
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
    Reviewed-By: Myles Borins <myles.borins@gmail.com>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
  2. build: extract error() function in configure

    rvagg authored and jasnell committed Apr 23, 2018
    PR-URL: #20226
    Fixes: #19944
    Refs: #20217
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
    Reviewed-By: Myles Borins <myles.borins@gmail.com>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Commits on Apr 20, 2018
  1. Revert "process: add version constants and compare"

    rvagg authored and Trott committed Apr 16, 2018
    This reverts commit 91e0f8d.
    
    PR-URL: #20062
    Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
    Reviewed-By: Evan Lucas <evanlucas@me.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
    Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
    Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
    Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Commits on Apr 16, 2018
  1. deps: c-ares float, win ipv6 bad fec0 prefix

    rvagg authored and BridgeAR committed May 15, 2013
    Was 72c5458:
    
      PR-URL: #5090
      Reviewed-By: Fedor Indutny <fedor@indutny.com>
    
    Reimplemented for c-ares 1.13.0
    
    PR-URL: #15378
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
    
    PR-URL: #19939
    Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Older
You can’t perform that action at this time.