Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release proposal: v0.10.41 #2805

Merged
merged 7 commits into from
Dec 4, 2015
Merged

Release proposal: v0.10.41 #2805

merged 7 commits into from
Dec 4, 2015

Conversation

rvagg
Copy link
Member

@rvagg rvagg commented Sep 11, 2015

Technically we can't do this with our new Jenkins setup and new nodejs.org server, we still have jenkins.nodejs.org and the original nodejs.org server in place to serve for emergencies but this release needs to come out of our new infra so there's work for @nodejs/build to do. Some details on that here: nodejs/build#164

@rvagg rvagg mentioned this pull request Sep 11, 2015
@brendanashworth brendanashworth added the meta Issues and PRs related to the general management of the project. label Sep 11, 2015
@othiym23
Copy link
Contributor

Has there been discussion or a decision about nodejs/Release#37? It would be nice to get a less broken npm into 0.10 at some point.

@rvagg
Copy link
Member Author

rvagg commented Sep 11, 2015

@othiym23 @nodejs/lts let's get that question sorted out at next week's meeting and make sure the results of that make it into this release

@Fishrock123
Copy link
Contributor

Rubber stamp LGTM. Would like to discuss npm also.

@bnoordhuis
Copy link
Member

The release should wait for the new libuv v0.10 release.

@jasnell
Copy link
Member

jasnell commented Sep 11, 2015

Unless there were updates I missed while I was in Waterford, three are only 8 open PRs against v0.10. We should attempt to close those before cutting a new v0.10.41

@rvagg
Copy link
Member Author

rvagg commented Sep 12, 2015

$ curl -sL 'https://api.github.com/repos/nodejs/node-v0.x-archive/pulls?base=v0.10' | json -a url title

@jasnell
Copy link
Member

jasnell commented Sep 12, 2015

Some of these can likely be closed straight off, but a few represent long standing bugs.

@ChALkeR ChALkeR added the lts Issues and PRs related to Long Term Support releases. label Oct 28, 2015
See https://github.com/npm/npm/releases/tag/v1.4.29 for details.
Encourage users to upgrade to a newer npm, and lays the groundwork for
getting npm@2 into Node 0.10 LTS.

PR-URL: #3639
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: James M Snell <jasnell@gmail.com>
@rvagg
Copy link
Member Author

rvagg commented Nov 23, 2015

Using the work in #3965 combined with the v0.10 and v0.10-staging branches I've pushed an RC 1 to test these builds on the new infra, binaries are available for download @ https://nodejs.org/download/rc/v0.10.41-rc.1/

@evanlucas
Copy link
Contributor

the pkg for OS X looks good

@rvagg
Copy link
Member Author

rvagg commented Dec 3, 2015

Updated to match current #3965 which should be close to final. Preparing for OpenSSL upgrade. Unfortunately we can't do a simple OpenSSL-commits-only release for v0.10 because our build infra won't allow it and when you start pulling in commits to support our infra you end up with a large chunk of the commits staged on v0.10 anyway. So I'm suggesting we just move ahead with v0.10.41 with all pending commits as soon as we have the OpenSSL 1.0.1 upgrade ready.

/cc @nodejs/security

bnoordhuis and others added 6 commits December 4, 2015 03:39
Contains fixes for:

* CVE-2015-3194 Certificate verify crash with missing PSS parameter
* CVE-2015-3195 X509_ATTRIBUTE memory leak

fixup! character encoding noise

fixup! update opensslconf.h

PR-URL: #4132
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
PR-URL: #3965
Reviewed-By: Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
PR-URL: #3965
Reviewed-By: Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
PR-URL: #3965
Reviewed-By: Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
When MSBuild invokes rc.exe, it passes NODE_TAG unstringified, but
passes it correctly to cl.exe. Hence, this workaround was made to
apply only to the resource file.

Fixes: #2963
PR-URL: #3053
Reviewed-By: Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Security Update

Notable items:

* build: Add support for Microsoft Visual Studio 2015
* npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as
  part of the strategy to get a version of npm into Node.js v0.10.x that
  works with the current registry
  (nodejs/Release#37). This version of npm prints
  out a banner each time it is run. The banner warns that the next
  standard release of Node.js v0.10.x will ship with a version of npm
  v2.
* openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194
  "Certificate verify crash with missing PSS parameter", a potential
  denial-of-service vector for Node.js TLS servers; TLS clients are also
  impacted. Details are available at
  <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis)
  #4133

PR-URL: nodejs-private/node-private#15
@rvagg
Copy link
Member Author

rvagg commented Dec 3, 2015

https://ci.nodejs.org/job/node-test-pull-request/916/

Incorporated the OpenSSL fixes and the updated build fixes, updated commits list in OP, release notes now starts with:


2015-12-04, Version 0.10.41 (Maintenance), @rvagg

Security Update

Notable items:

  • build: Add support for Microsoft Visual Studio 2015
  • npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry (npm in 0.10 LTS Release#37). This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2.
  • openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at http://openssl.org/news/secadv/20151203.txt. (Ben Noordhuis) deps: upgrade to openssl 1.0.1q (v0.12) #4133

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lts Issues and PRs related to Long Term Support releases. meta Issues and PRs related to the general management of the project.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants