Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release proposal: v2.3.4 #2115

Merged
merged 2 commits into from
Jul 9, 2015
Merged

Conversation

Fishrock123
Copy link
Contributor

There will be a "high" severity fix to OpenSSL this thursday. See https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html

We should probably look at having a release that day, if possible.

cc @shigeki / @indutny

@Fishrock123 Fishrock123 added the meta Issues and PRs related to the general management of the project. label Jul 6, 2015
@rvagg
Copy link
Member

rvagg commented Jul 6, 2015

For reference, "high" is the highest severity level they report and is described as:

high severity issues. This includes issues affecting common configurations which are also likely to be exploitable. Examples include a server DoS, a significant leak of server memory, and remote code execution. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control, and significantly quicker if there is a significant risk or we are aware the issue is being exploited.

@indutny
Copy link
Member

indutny commented Jul 6, 2015

This is pretty awful :(

@shigeki
Copy link
Contributor

shigeki commented Jul 7, 2015

I can work on it as soon as it is released on July 9th. It usually around 15:00 GMT for these days.

@bnoordhuis
Copy link
Member

@shigeki I can do it if the time is inconvenient for you. 15.00 GMT is in the afternoon for me and I assume an upgrade isn't any more complicated than applying the diff and maybe regenerating the assembly code.

@shigeki
Copy link
Contributor

shigeki commented Jul 7, 2015

@bnoordhuis Thanks for your offer. I will give over to you if I cannot make it. But I have to stay up until release in order to update my servers as it fixes a high severity. In the next time of release if a low severity, I'm going to ask someone volunteer in colaborators to work on upgrading with me.

@shigeki
Copy link
Contributor

shigeki commented Jul 9, 2015

The openssl-1.0.2d has just been released. The vulnerability of Alternative chains certificate forgery (CVE-2015-1793) affects tls.client connection so I update it right now.

@Fishrock123
Copy link
Contributor Author

Converted to PR, PTAL.


### Notable changes

* **openssl**: Upgrade to 1.0.2d, fixes CVE-2015-1793 (Alternate Chains Certificate Forgery).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a PR for this now. #2141

@bnoordhuis
Copy link
Member

The eagle, I mean #2141, has landed.

@thefourtheye
Copy link
Contributor

@bnoordhuis ;-) 👍

@Fishrock123
Copy link
Contributor Author

@thefourtheye
Copy link
Contributor

@Fishrock123 Is this CI run for cutting the release?

Notable changes

* openssl: Upgrade to 1.0.2d, fixes CVE-2015-1793 (Alternate Chains
Certificate Forgery).
* npm: Upgraded to v2.12.1, release notes can be found in
https://github.com/npm/npm/releases/tag/v2.12.0 and
https://github.com/npm/npm/releases/tag/v2.12.1 (Kat Marchán)
nodejs#2112.
@Fishrock123
Copy link
Contributor Author

@thefourtheye that is for testing, I'll start the build process soon.

@thefourtheye
Copy link
Contributor

@Fishrock123 Okay, cool. 👍 I thought that the last CI run against the master was enough.

@Fishrock123
Copy link
Contributor Author

Release building off this branch for now: https://jenkins-iojs.nodesource.com/job/iojs+release/36/

@Fishrock123 Fishrock123 mentioned this pull request Jul 9, 2015
@Fishrock123 Fishrock123 merged commit 1a340a8 into nodejs:master Jul 9, 2015
@Fishrock123
Copy link
Contributor Author

Ah fudge I forgot to add PR-URL on the release commits, too late now.

Release is up at https://iojs.org/dist/v2.3.4/

@Fishrock123
Copy link
Contributor Author

@thefourtheye
Copy link
Contributor

@Fishrock123 Done 👍 Actually, hash-tagging with io.js or nodejs reaches more eyes, I think.

@chetandhembre
Copy link

how can these openssl security update affecting node.js/iojs as other language are not updating (like Ruby/Java) ?
may be not right place to ask this question but I do not know where to ask it.

@jbergstroem
Copy link
Member

@chetandhembre because node and iojs bundles openssl while the others you referred to aren't.

@chetandhembre
Copy link

@jbergstroem but why node.js/io.js bundle openssl ? any specific reason not to use os level openssl.

@bnoordhuis
Copy link
Member

@chetandhembre Because distro's often ship old versions that lack features we want.

@chetandhembre
Copy link

@bnoordhuis thanks !!

@rvagg
Copy link
Member

rvagg commented Jul 12, 2015

@Fishrock123 did we get armv6 builds for this?

@Fishrock123
Copy link
Contributor Author

Oh dang, let me do that right now. I got pretty carried away with Cascadia and didn't even really have my laptop out on friday.

@Fishrock123
Copy link
Contributor Author

@rvagg done! :) (1.8.4 also)

@thefourtheye
Copy link
Contributor

@Fishrock123 I dont see it built here https://jenkins-iojs.nodesource.com/job/iojs+release/36/. How is it actually done?

@Fishrock123
Copy link
Contributor Author

@thefourtheye they are built from the pi1-raspbian-wheezy machine.

@thefourtheye
Copy link
Contributor

@Fishrock123 Ah, thanks :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
meta Issues and PRs related to the general management of the project.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants