Permalink
Commits on Aug 26, 2018
  1. Use a hash map for thread id lookup, rather than a linked list

    zarvox authored and kentonv committed Sep 2, 2016
    When using node-fibers, we find ourselves spending 65% of our CPU time
    traversing the thread table linked list.  Let's try a real data structure.
Commits on Aug 15, 2018
  1. 2018-08-15, Version 8.11.4 'Carbon' (LTS)

    rvagg committed Aug 15, 2018
    This is a security release. All Node.js users should consult the
    security release summary at:
    
      https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
    
    for details on patched vulnerabilities.
    
    Fixes for the following CVEs are included in this release:
    
      * CVE-2018-0732 (OpenSSL)
      * CVE-2018-12115 (Node.js)
    
    Notable changes:
    
    * buffer: Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
      (CVE-2018-12115)
    * deps: Upgrade to OpenSSL 1.0.2p, fixing:
      * Client DoS due to large DH parameter (CVE-2018-0732)
      * ECDSA key extraction via local side-channel (CVE not assigned)
  2. buffer: avoid overrun on UCS-2 string write

    rvagg committed Aug 14, 2018
    CVE-2018-12115
    Discovered by ChALkeR - Сковорода Никита Андреевич
    Fix by Anna Henningsen
    
    Writing to the second-to-last byte with UCS-2 encoding will cause a -1
    length to be send to String::Write(), writing all of the provided Buffer
    from that point and beyond.
    
    Fixes: nodejs-private/security#203
    PR-URL: nodejs-private/node-private#138
  3. test: fix error messages for OpenSSL-1.0.2p

    shigeki authored and rvagg committed Aug 14, 2018
    After upgradeing OpenSSL-1.0.2p, test-tls-passphrase.js was failed
    due to change of error messages.
    
    Ref: openssl/openssl@18026c0
    PR-URL: nodejs#22320
    Reviewed-By: Rod Vagg <rod@vagg.org>
  4. deps: add -no_rand_screen to openssl s_client

    Shigeki Ohtsu authored and rvagg committed May 27, 2015
    In openssl s_client on Windows, RAND_screen() is invoked to initialize
    random state but it takes several seconds in each connection.
    This added -no_rand_screen to openssl s_client on Windows to skip
    RAND_screen() and gets a better performance in the unit test of
    test-tls-server-verify.
    Do not enable this except to use in the unit test.
    
    Fixes: nodejs#1461
    PR-URL: nodejs#1836
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  5. openssl: fix keypress requirement in apps on win32

    Shigeki Ohtsu authored and rvagg committed Feb 17, 2015
    Reapply b910613 .
    
    Fixes: nodejs#589
    PR-URL: nodejs#1389
    Reviewed-By: Fedor Indutny <fedor@indutny.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  6. deps: fix asm build error of openssl in x86_win32

    Shigeki Ohtsu authored and rvagg committed Feb 13, 2015
    See
    https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html
    
    iojs needs to stop using masm and move to nasm or yasm on Win32.
    
    Fixes: nodejs#589
    PR-URL: nodejs#1389
    Reviewed-By: Fedor Indutny <fedor@indutny.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  7. deps: fix openssl assembly error on ia32 win32

    indutny authored and rvagg committed Jan 8, 2014
    `x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
    perhaps others) are requiring .686 .
    
    Fixes: nodejs#589
    PR-URL: nodejs#1389
    Reviewed-By: Fedor Indutny <fedor@indutny.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
  8. deps: copy all openssl header files to include dir

    shigeki authored and rvagg committed Aug 14, 2018
    All symlink files in `deps/openssl/openssl/include/openssl/`
    are removed and replaced with real header files to avoid
    issues on Windows. Two files of opensslconf.h in crypto and
    include dir are replaced to refer config/opensslconf.h.
    
    PR-URL: nodejs#22320
    Reviewed-By: Rod Vagg <rod@vagg.org>
  9. deps: upgrade openssl sources to 1.0.2p

    shigeki authored and rvagg committed Aug 15, 2018
    This replaces all sources of openssl-1.0.2p.tar.gz into
    deps/openssl/openssl
    
    PR-URL: nodejs#22320
    Reviewed-By: Rod Vagg <rod@vagg.org>
  10. test: update certificates and private keys

    indutny authored and rvagg committed Aug 7, 2018
    The certificates in test fixtures were set to expire in 999 days since
    they were generated. That time has passed, and they have to be reissued.
    Bump expiration time to 99999 days for all of them to prevent this from
    happening again in near future.
    
    PR-URL: nodejs#22184
    Fixes: nodejs#22182
    Reviewed-By: Myles Borins <myles.borins@gmail.com>
    Reviewed-By: Gus Caplan <me@gus.host>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: Rod Vagg <rod@vagg.org>
  11. test: update keys/Makefile to clean and build all

    danbev authored and rvagg committed Apr 12, 2018
    Currently when running make clean, followed by make not all certificates
    get genenerated. In addition there are also the following error messages
    related to the startdate in agent8-cert.pem, and agent9-cert.pem:
    start date is invalid, it should be YYMMDDHHMMSSZ
    
    After this commit it is possible to perform the following commands:
    $ make clean
    $ make
    $ make test
    
    PR-URL: nodejs#19975
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
Commits on Jun 12, 2018
  1. 2018-06-12, Version 8.11.3 (LTS)

    evanlucas committed Jun 11, 2018
    Notable changes:
    
    * **buffer** (CVE-2018-7167): Fixes Denial of Service vulnerability
        where calling Buffer.fill() could hang
    * **http2**
      * (CVE-2018-7161): Fixes Denial of Service vulnerability by
          updating the http2 implementation to not crash under
          certain circumstances during cleanup
      * (CVE-2018-1000168): Fixes Denial of Service vulnerability
          by upgrading nghttp2 to 1.32.0
    
    PR-URL: nodejs-private/node-private#126
  2. test: add `Realloc()` shrink after reading stream data test

    addaleax authored and evanlucas committed Mar 29, 2018
    This would otherwise keep a lot of unused memory lying around,
    and in particular add up to a page per chunk of memory overhead
    for network reads, potentially opening a DoS vector if the resulting
    `Buffer` objects are kept around indefinitely (e.g. stored in a list
    and not concatenated until the socket finishes).
    
    This is to prevent v8.x from becoming susceptible to CVE-2018-7164.
    
    Refs: nodejs-private/security#186
    Refs: nodejs@7c4b09b
    PR-URL: nodejs-private/node-private#132
    Reviewed-By: Evan Lucas <evanlucas@me.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Commits on Jun 11, 2018
  1. test: add tls write error regression test

    shigeki authored and evanlucas committed Apr 12, 2018
    Add a mock TLS socket implementation and a regression test for
    the previous commit.
    
    This is to prevent v8.x from becoming susceptible to CVE-2018-7162.
    
    Refs: nodejs-private/security#189
    PR-URL: nodejs-private/node-private#131
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Evan Lucas <evanlucas@me.com>
  2. test: add regression test for nghttp2 CVE-2018-1000168

    jasnell authored and evanlucas committed Apr 13, 2018
    PR-URL: nodejs-private/node-private#125
    Reviewed-By: Evan Lucas <evanlucas@me.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
  3. deps: update to nghttp2 1.32.0

    jasnell authored and evanlucas committed Apr 13, 2018
    This fixes CVE-2018-1000168.
    
    PR-URL: nodejs-private/node-private#125
    Reviewed-By: Evan Lucas <evanlucas@me.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
  4. http2: fixup http2stream cleanup and other nits

    jasnell authored and evanlucas committed May 31, 2018
    This fixes CVE-2018-7161.
    
    PR-URL: nodejs-private/node-private#123
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
  5. doc: buffer.fill() can zero-fill on invalid input

    ChALkeR authored and evanlucas committed Jun 5, 2018
    Note that buffer.fill() can zero-fill on some input types if no
    valid fill data remains, but does nothing on other input types.
    
    PR-URL: nodejs-private/node-private#119
    Fixes: nodejs-private/security#193
    Refs: nodejs-private/node-private#118
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
    Reviewed-By: Evan Lucas <evanlucas@me.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
  6. src: avoid hanging on Buffer#fill 0-length input

    ChALkeR authored and evanlucas committed Apr 24, 2018
    Previously, zero-length Buffers and TypedArrays passed as fillers hanged
    Buffer#fill and Buffer.from.
    
    This changes those cases when it hanged to a zero-fill instead, which
    should be backwards compatible.
    
    This fixes CVE-2018-7167.
    
    PR-URL: nodejs-private/node-private#119
    Fixes: nodejs-private/security#193
    Refs: nodejs-private/node-private#118
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
    Reviewed-By: Evan Lucas <evanlucas@me.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Commits on May 15, 2018
  1. Working on v8.11.3

    MylesBorins committed May 15, 2018
    PR-URL: nodejs#20478
  2. 2018-05-15, Version 8.11.2 'Carbon' (LTS)

    MylesBorins committed May 2, 2018
    Notable Changes:
    
    deps:
      - update node-inspect to 1.11.3 (Jan Krems)
        nodejs#18354
      - update nghttp2 to 1.29.0 (James M Snell)
        nodejs#17908
    http2:
      - Sync with current release stream
    n-api:
      - Sync with current release stream
    
    PR-URL: nodejs#20478
  3. build,win: restore vcbuild TAG functionality

    rvagg authored and MylesBorins committed Jan 8, 2018
    --tag needs to be set after `getnodeversion` because TAG is defined in
    there when DISTTYPE is not "release", setting it before `getnodeversion`
    leads to --tag not being passed down in to `configure` and
    src/node_version.h setting it as `-pre` by default. This change restores
    the functionality that properly sets the TAG for nightlies, rc builds
    and other custom build types.
    
    Ref: nodejs#17299
    Ref: nodejs/abi-stable-node#289
    
    PR-URL: nodejs#18031
    Ref: nodejs#17299
    Ref: nodejs/abi-stable-node#289
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: JoãReis <reis@janeasystems.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
    Reviewed-By: Kyle Farnung <kfarnung@microsoft.com>
  4. timers: fix a bug in error handling

    apapirovski authored and MylesBorins committed Apr 14, 2018
    When a timeout within a list of timeouts (that consists of only
    that specific timeout) throws during its execution, it's possible
    for the TimerWrap handle to become shared between both that list
    and an unref'd timeout created in the future. This fixes the bug
    by extending error handling in timeout execution to check for
    whether the current list is empty and if so do cleanup on it.
    
    PR-URL: nodejs#20497
    Fixes: nodejs#19970
    Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
    Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
  5. http2: emit session connect on next tick

    pietermees authored and MylesBorins committed Apr 9, 2018
    Backport-PR-URL: nodejs#20456
    PR-URL: nodejs#19842
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
  6. doc: add Http2Session.connecting property

    pietermees authored and MylesBorins committed Apr 6, 2018
    Backport-PR-URL: nodejs#20456
    PR-URL: nodejs#19842
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
  7. doc, http2: add sections for server.close()

    chrismilleruk authored and MylesBorins committed Apr 4, 2018
    Clarify current behavior of http2server.close() and
    http2secureServer.close() w.r.t. perceived differences
    when compared with httpServer.close().
    
    Fixes: nodejs#19711
    
    Backport-PR-URL: nodejs#20456
    PR-URL: nodejs#19802
    Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
    Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
  8. http2: callback valid check before closing request

    trivikr authored and MylesBorins committed Feb 28, 2018
    Do not close the request if callback is not a function, and
    throw ERR_INVALID_CALLBACK TypeError
    
    Backport-PR-URL: nodejs#19229
    Backport-PR-URL: nodejs#20456
    PR-URL: nodejs#19061
    Fixes: nodejs#18855
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
    Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
    Reviewed-By: Tobias Nießen <tniessen@tnie.de>
  9. test: http2 errors on req.close()

    trivikr authored and MylesBorins committed Feb 18, 2018
    Backport-PR-URL: nodejs#19579
    Backport-PR-URL: nodejs#20456
    PR-URL: nodejs#18854
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
  10. doc: guard against md list parsing edge case

    vsemozhetbyt authored and MylesBorins committed Mar 28, 2018
    Backport-PR-URL: nodejs#20456
    PR-URL: nodejs#19647
    Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: Chen Gang <gangc.cxy@foxmail.com>
    Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
  11. http2: destroy() stream, upon errnoException

    SirR4T authored and MylesBorins committed Mar 16, 2018
    First steps towards nodejs#19060
    
    Backport-PR-URL: nodejs#20456
    PR-URL: nodejs#19389
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
  12. test: http2 stream.respond() error checks

    trivikr authored and MylesBorins committed Feb 19, 2018
    Backport-PR-URL: nodejs#19579
    Backport-PR-URL: nodejs#20456
    PR-URL: nodejs#18861
    Reviewed-By: James M Snell <jasnell@gmail.com>
  13. doc: rename HTTP2 to HTTP/2

    TimothyGu authored and MylesBorins committed Mar 26, 2018
    Previously, "HTTP/2" was strictly used to describe the protocol, and
    HTTP2 the module. This distinction is deemed unnecessary, and
    consistency between the two terms is enforced.
    
    Backport-PR-URL: nodejs#20456
    PR-URL: nodejs#19603
    Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Tobias Nießen <tniessen@tnie.de>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
    Reviewed-By: Chen Gang <gangc.cxy@foxmail.com>
    Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
  14. http2: remove some unnecessary next ticks

    jasnell authored and MylesBorins committed Mar 19, 2018
    Backport-PR-URL: nodejs#20456
    PR-URL: nodejs#19451
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>