v4.8.6 proposal #16500
Merged
v4.8.6 proposal #16500
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* The following function from <unicode/normlzr.h> is used:
normalize()
* Until ICU 59, <unicode/normlzr.h> is indirectly included, but this changed with the 59 release. Adding this header has been the right thing to do for many years, so it is backwards compatible and fix compilation with recent ICU.
Refs: #13022
PR-URL: #13040
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
This fixes wrong hash results on Windows with some CPUs that support
Intel SHA Extension and resolves the issue of TLS connection errors.
After upgrading forthcoming openssl-1.0.2l, this is no nolonger needed.
Original commit message:
perlasm/x86_64-xlate.pl: work around problem with hex constants in masm.
Perl, multiple versions, for some reason occasionally takes issue with
letter b[?] in ox([0-9a-f]+) regex. As result some constants, such as
0xb1 came out wrong when generating code for MASM. Fixes GH#3241.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl/openssl#3385)
(cherry picked from commit c47aea8af1e28e46e1ad5e2e7468b49fec3f4f29)
Refs: openssl/openssl#3241
Refs: openssl/openssl#3385
Fixes: #12691
PR-URL: #12913
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
HGlobalValueNumberingPhase::CollectSideEffectsOnPathsToDominatedBlock() used to self-recurse before this commit, causing stack overflows on systems with small stack sizes. Make it non-recursive by storing intermediate results in a heap-allocated list. Fixes: #11991 Backport-PR-URL: #13080 PR-URL: #12460 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yang Guo <yangguo@chromium.org>
Functions that call `ECDH::BufferToPoint` were not clearing the error stack on failure, so an invalid key could leave leftover error state and cause subsequent (unrelated) signing operations to fail. PR-URL: #13275 Backport-PR-URL: #13399 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
gpg 2.1 no longer includes the key-id by default which breaks the release script. This makes sure we are explicit about it. PR-URL: #13309 Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Allow passing the prefix in via the PKGDIR env var. This will allow us to use this same script to codesign the binary tarball. PR-URL: #14179 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: #14179 Fixes: #11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Original commit message:
ares_parse_naptr_reply: make buffer length check more accurate
9478908a490a6bf009ba58d81de8c1d06d50a117 introduced a length check
for records parsed by `ares_parse_naptr_reply()`. However, that
function is designed to parse replies which also contain non-NAPTR
records; for A records, the `rr_len > 7` check will fail as there
are only 4 bytes of payload.
In particular, parsing ANY replies for NAPTR records was broken
by that patch.
Fix that by moving the check into the case in which it is already
known that the record is a NAPTR record.
Ref: c-ares/c-ares@18ea996
PR-URL: #13883
Reviewed-By: James M Snell <jasnell@gmail.com>
This is the certdata.txt[0] that ships in NSS 3.28.1, released on 2017-01-04. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #12402 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - AC RAIZ FNMT-RCM - Amazon Root CA 1 - Amazon Root CA 2 - Amazon Root CA 3 - Amazon Root CA 4 - Certplus Root CA G1 - Certplus Root CA G2 - Hellenic Academic and Research Institutions ECC RootCA 2015 - Hellenic Academic and Research Institutions RootCA 2015 - ISRG Root X1 - LuxTrust Global Root 2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 Certificates removed: - Buypass Class 2 CA 1 - EBG Elektronik Sertifika Hizmet Sağlayıcısı - IGC/A - Juur-SK - RSA Security 2048 v3 - Root CA Generalitat Valenciana PR-URL: #12402 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
This is the certdata.txt[0] that ships in NSS 3.30.2, released on 2017-04-20. [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #13279 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Update the list of root certificates in src/node_root_certs.h with tools/mk-ca-bundle.pl. Certificates added: - TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 Certificates removed: - ApplicationCA - Japanese Government - Microsec e-Szigno Root CA - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 - WellsSecure Public Root Certificate Authority PR-URL: #13279 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
This reverts commit 2d07fd7, with the exception of the `V8_PATCH_LEVEL` which will continue to increase. This commit was intended to be a backport of v8's e093a04 and 09db540, but it failed to consider the reversion of e093a04 in 5f5a328. PR-URL: #14829 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Original commit messages: v8/v8@09db540 Reland of Rehash and clear deleted entries in weak collections during GC BUG=v8:4909 R=hpayer@chromium.org,ulan@chromium.org LOG=n Review URL: https://codereview.chromium.org/1890123002 Cr-Commit-Position: refs/heads/master@{#35538} v8/v8@686558d Fix comment about when we rehash ObjectHashTables before growing them R=ulan@chromium.org BUG= Review-Url: https://codereview.chromium.org/1918403003 Cr-Commit-Position: refs/heads/master@{#35853} Refs: https://crbug.com/v8/4909 Refs: #6180 Refs: #7689 Refs: #6398 Fixes: #14228 PR-URL: #14829 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
When upgrading OpenSSL, Step 6 in upgrading guide explains the steps that need to be taken if asm files need updating. This might not always be the case and something that needs to be checked from release to release. This commit adds an example of using github to manually compare two tags to see if any changes were made to asm files. Backport-PR-URL: #13696 PR-URL: #13234 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com>
All symlink files in deps/openssl/openssl/include/openssl/ are removed and replaced with real header files to avoid issues on Windows. Two files of opensslconf.h in crypto and include dir are replaced to refer config/opensslconf.h. Fixes: #13161 Backport-PR-URL: #13696 PR-URL: #13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
See https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html iojs needs to stop using masm and move to nasm or yasm on Win32. Fixes: #589 Backport-PR-URL: #13696 PR-URL: #1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
In openssl s_client on Windows, RAND_screen() is invoked to initialize random state but it takes several seconds in each connection. This added -no_rand_screen to openssl s_client on Windows to skip RAND_screen() and gets a better performance in the unit test of test-tls-server-verify. Do not enable this except to use in the unit test. Fixes: #1461 Backport-PR-URL: #13696 PR-URL: #1836 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc version was 5.4.0 and nasm version was 2.11.08. Also asm files in asm_obsolete dir to support old compiler and assembler are regenerated without CC and ASM envs. Fixes: #13161 Backport-PR-URL: #13696 PR-URL: #13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Added the missing make command in steps 6.3 when building asm_obsolete. Also updated the commit message to include the version nasm in addition to the gcc version. Fixes: #13161 Backport-PR-URL: #13696 PR-URL: #13233 Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This is a partial backport of semver-patch bits of 9e4660b. This commit fixes the Node process crashing when constructors of classes of the zlib module are given invalid options. * Throw an Error when the zlib library rejects the value of windowBits, instead of crashing with an assertion. * Treat windowBits and memLevel options consistently with other ones and don't crash when non-numeric values are given. Backport-PR-URL: #14860 PR-URL: #13098 Fixes: #13082 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Unset `mode_` when initializing the zlib stream failed, so that we don’t try to call the zlib end functions (`deflateEnd()` etc.) when cleaning up in `ZCtx::Close()`. Fixes: #14178 Ref: #13098 Backport-PR-URL: #14860 PR-URL: #14666 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Alexey Orlenko <eaglexrlnk@gmail.com>
nodejs-github-bot
added
build
This replaces all sources of openssl-1.0.2m.tar.gz into deps/openssl/openssl PR-URL: #16691 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com>
All symlink files in `deps/openssl/openssl/include/openssl/` are removed and replaced with real header files to avoid issues on Windows. Two files of opensslconf.h in crypto and include dir are replaced to refer config/opensslconf.h. PR-URL: #16691 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com>
See https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html iojs needs to stop using masm and move to nasm or yasm on Win32. Fixes: #589 PR-URL: #1389 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
In openssl s_client on Windows, RAND_screen() is invoked to initialize random state but it takes several seconds in each connection. This added -no_rand_screen to openssl s_client on Windows to skip RAND_screen() and gets a better performance in the unit test of test-tls-server-verify. Do not enable this except to use in the unit test. Fixes: #1461 PR-URL: #1836 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc version was 5.4.0 and nasm version was 2.11.08. Also asm files in asm_obsolete dir to support old compiler and assembler are regenerated without CC and ASM envs. PR-URL: #16691 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
force-pushed
the
v4.8.6-proposal
branch
from
24a1610
to
01d174e
Compare
|
Really not a fan of doing releases on a Friday. Can these wait until Monday? |
|
CITGM is not as green as I couldn't find new failures as compared to the previous release that were not infrastructure related. A large number of the failures are timeouts, and I believe that is mostly due to snapshots being turned off |
MylesBorins
force-pushed
the
v4.8.6-proposal
branch
from
01d174e
to
8bf35b9
Compare
Notable Changes:
* **crypto**:
- update root certificates (Ben Noordhuis)
#13279
- update root certificates (Ben Noordhuis)
#12402
* **deps**:
- add support for more modern versions of INTL (Bruno Pagani)
#13040
- upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
#16691
- upgrade openssl sources to 1.0.2l (Daniel Bevenius)
#13233
PR-URL: #16500
MylesBorins
force-pushed
the
v4.8.6-proposal
branch
from
8bf35b9
to
449d60d
Compare
|
Hey all, I've updated the PR with notable changes. Please lmk if you think there should be any changes made. |
MylesBorins
added a commit
that referenced
this pull request
Nov 7, 2017
Notable Changes:
* **crypto**:
- update root certificates (Ben Noordhuis)
#13279
- update root certificates (Ben Noordhuis)
#12402
* **deps**:
- add support for more modern versions of INTL (Bruno Pagani)
#13040
- upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
#16691
- upgrade openssl sources to 1.0.2l (Daniel Bevenius)
#13233
PR-URL: #16500
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
2017-11-07, Version 4.8.6 'Argon' (Maintenance), @MylesBorins
This Maintenance release comes with 47 commits. This includes 26 commits which are updates to dependencies,
8 which are build / tool related, 4 which are doc related, and 2 which are test related.
This release includes a security update to openssl that has been deemed low severity for the Node.js project.
Notable Changes
Commits
e064ae62e4] - build: fix make test-v8 (Ben Noordhuis) #15562a7f7a87a1b] - build: run test-hash-seed at the end of test-v8 (Michaël Zasso) #1421905e8b1b7d9] - build: codesign tarball binary on macOS (Evan Lucas) #14179e2b6fdf93e] - build: avoid /docs/api and /docs/doc/api upload (Rod Vagg) #1295759d35c0775] - build,tools: do not force codesign prefix (Evan Lucas) #14179210fa72e9e] - crypto: update root certificates (Ben Noordhuis) #13279752b46a259] - crypto: update root certificates (Ben Noordhuis) #124023640ba4acb] - crypto: clear err stack after ECDH::BufferToPoint (Ryan Kelly) #13275545235fc4b] - deps: add missing #include "unicode/normlzr.h" (Bruno Pagani) #13040ea09a1c3e6] - deps: update openssl asm and asm_obsolete files (Shigeki Ohtsu) #1669168661a95b5] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836bdcb2525fb] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#13893f93ffee89] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#138916fbd9da0d] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #1669155e15ec820] - deps: upgrade openssl sources to 1.0.2m (Shigeki Ohtsu) #166919c3e246ffe] - deps: backport 4e18190 from V8 upstream (jshin) #1556243d1ac3a62] - deps: backport bff3074 from V8 upstream (Myles Borins) #15562b259fd3bd5] - deps: cherry pick d7f813b4 from V8 upstream (akos.palfi) #1556285800c4ba4] - deps: backport e28183b5 from upstream V8 (karl) #1556206eb181916] - deps: update openssl asm and asm_obsolete files (Daniel Bevenius) #13233c0fe1fccc3] - deps: update openssl config files (Daniel Bevenius) #13233523eb60424] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#18360aacd5a8cd] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#138980c48c0720] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389bbd92b4676] - deps: copy all openssl header files to include dir (Daniel Bevenius) #132338507f0fb5d] - deps: upgrade openssl sources to 1.0.2l (Daniel Bevenius) #132339bfada8f0c] - deps: add example of comparing OpenSSL changes (Daniel Bevenius) #1323471f9cdf241] - deps: cherry-pick 09db540,686558d from V8 upstream (Jesse Rosenberger) #14829751f1ac08e] - Revert "deps: backport e093a04, 09db540 from upstream V8" (Jesse Rosenberger) #14829ed6298c7de] - deps: cherry-pick 18ea996 from c-ares upstream (Anna Henningsen) #13883639180adfa] - deps: update openssl asm and asm_obsolete files (Shigeki Ohtsu) #129139ba73e1797] - deps: cherry-pick 4ae5993 from upstream OpenSSL (Shigeki Ohtsu) #12913f8e282e51c] - doc: fix typo in zlib.md (Luigi Pinca) #16480532a2941cb] - doc: add missing make command to UPGRADING.md (Daniel Bevenius) #132331db33296cb] - doc: add entry for subprocess.killed property (Rich Trott) #145780fa09dfd77] - doc: changechildtosubprocess(Rich Trott) #1457843bbfafaef] - docs: Fix broken links in crypto.md (Zuzana Svetlikova) #151821bde7f5cef] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389e69f47b686] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389cb92f93cd5] - test: remove internal headers from addons (Gibson Fahnestock) #79475d9164c315] - test: move test-cluster-debug-port to sequential (Oleksandr Kushchak) #1629207c912e849] - tools: update certdata.txt (Ben Noordhuis) #13279c40bffcb88] - tools: update certdata.txt (Ben Noordhuis) #12402161162713f] - tools: be explicit about including key-id (Myles Borins) #133090c820c092b] - v8: fix stack overflow in recursive method (Ben Noordhuis) #12460a1f992975f] - zlib: fix crash when initializing failed (Anna Henningsen) #1466631bf595b94] - zlib: fix node crashing on invalid options (Alexey Orlenko) #13098