From 06ae95f587075f4d1c05aed64c54abcccce0c8d5 Mon Sep 17 00:00:00 2001 From: Rod Vagg Date: Fri, 4 Dec 2015 22:06:17 +1100 Subject: [PATCH] doc: clarify v0.12.9 notable items * Include reference to CVE-2015-8027 * Fix "socket may no longer have a socket" reference * Expand on non-existent parser causing the error * Clarify that CVE-2015-3194 affects TLS servers using _client certificate authentication_ PR-URL: https://github.com/nodejs/node/pull/4154 Reviewed-By: Colin Ihrig Reviewed-By: James M Snell --- ChangeLog | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index c85fc3a2dc04ed..53d1fa084324d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,10 +2,10 @@ Security Update -Notable items: +Notable changes: -* http: Fix a bug where an HTTP socket may no longer have a socket but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) -* openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at . (Ben Noordhuis) https://github.com/nodejs/node/pull/4133 +* http: Fix CVE-2015-8027, a bug whereby an HTTP socket may no longer have a parser associated with it but a pipelined request attempts to trigger a pause or resume on the non-existent parser, a potential denial-of-service vulnerability. (Fedor Indutny) +* openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers using client certificate authentication; TLS clients are also impacted. Details are available at . (Ben Noordhuis) https://github.com/nodejs/node/pull/4133 Commits: