Skip to content

Commit

Permalink
2016-03-03 Version 0.12.11 (LTS) Release
Browse files Browse the repository at this point in the history
Notable changes:

* http_parser: Update to http-parser 2.3.2 to fix an unintentionally
  strict limitation of allowable header characters.
  (James M Snell) #5241
* domains:
  - Prevent an exit due to an exception being thrown rather than
    emitting an 'uncaughtException' event on the `process` object when
    no error handler is set on the domain within which an error is
    thrown and an 'uncaughtException' event listener is set on
    `process`. (Julien Gilli) #3885
  - Fix an issue where the process would not abort in the proper
    function call if an error is thrown within a domain with no error
    handler and `--abort-on-uncaught-exception` is used.
    (Julien Gilli) #3885
* openssl: Upgrade from 1.0.2f to 1.0.2g
  (Ben Noordhuis) #5509
  - Fix a double-free defect in parsing malformed DSA keys that may
    potentially be used for DoS or memory corruption attacks. It is
    likely to be very difficult to use this defect for a practical
    attack and is therefore considered low severity for Node.js users.
    More info is available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0705
  - Fix a defect that can cause memory corruption in certain very rare
    cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
    functions. It is believed that Node.js is not invoking the code
    paths that use these functions so practical attacks via Node.js
    using this defect are _unlikely_ to be possible. More info is
    available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0797
  - Fix a defect that makes the CacheBleed Attack
    (https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
    defect enables attackers to execute side-channel attacks leading
    to the potential recovery of entire RSA private keys. It only
    affects the Intel Sandy Bridge (and possibly older)
    microarchitecture when using hyper-threading. Newer
    microarchitectures, including Haswell, are unaffected. More info
    is available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0702

PR-URL: #5403
  • Loading branch information
rvagg committed Mar 4, 2016
1 parent 831b30e commit 4f08540
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,35 @@
# Node.js ChangeLog

## 2016-03-03, Version 0.12.11 (LTS), @rvagg

### Notable changes:

* http_parser: Update to http-parser 2.3.2 to fix an unintentionally strict limitation of allowable header characters. (James M Snell) https://github.com/nodejs/node/pull/5241
* domains:
- Prevent an exit due to an exception being thrown rather than emitting an 'uncaughtException' event on the `process` object when no error handler is set on the domain within which an error is thrown and an 'uncaughtException' event listener is set on `process`. (Julien Gilli) https://github.com/nodejs/node/pull/3885
- Fix an issue where the process would not abort in the proper function call if an error is thrown within a domain with no error handler and `--abort-on-uncaught-exception` is used. (Julien Gilli) https://github.com/nodejs/node/pull/3885
* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) https://github.com/nodejs/node/pull/5509
- Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely_ to be possible. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack (https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0702

### Commits:

* [1ab6653db9] - build: update Node.js logo on OSX installer (Rod Vagg) https://github.com/nodejs/node/pull/5401
* [fcc64792ae] - child_process: guard against race condition (Rich Trott) https://github.com/nodejs/node/pull/5153
* [6c468df9af] - child_process: fix data loss with readable event (Brian White) https://github.com/nodejs/node/pull/5037
* [61a22019c2] - deps: upgrade openssl to 1.0.1s (Ben Noordhuis) https://github.com/nodejs/node/pull/5509
* [fa26b13df7] - deps: update to http-parser 2.3.2 (James M Snell) https://github.com/nodejs/node/pull/5241
* [46c8e2165f] - deps: backport 1f8555 from v8's upstream (Trevor Norris) https://github.com/nodejs/node/pull/3945
* [ce58c2c31a] - doc: remove SSLv2 descriptions (Shigeki Ohtsu) https://github.com/nodejs/node/pull/5541
* [018e4e0b1a] - domains: fix handling of uncaught exceptions (Julien Gilli) https://github.com/nodejs/node/pull/3885
* [d421e85dc9] - lib: fix cluster handle leak (Rich Trott) https://github.com/nodejs/node/pull/5152
* [3a48f0022f] - node: fix leaking Context handle (Trevor Norris) https://github.com/nodejs/node/pull/3945
* [28dddabf6a] - src: fix build error without OpenSSL support (Jörg Krause) https://github.com/nodejs/node/pull/4201
* [a79baf03cd] - src: use global SealHandleScope (Trevor Norris) https://github.com/nodejs/node/pull/3945
* [be39f30447] - test: add test-domain-exit-dispose-again back (Julien Gilli) https://github.com/nodejs/node/pull/4278
* [da66166b9a] - test: fix test-domain-exit-dispose-again (Julien Gilli) https://github.com/nodejs/node/pull/3991

## 2016-03-02, Version 5.7.1 (Stable), @Fishrock123

### Notable changes
Expand Down

0 comments on commit 4f08540

Please sign in to comment.