This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/ for details on patched vulnerabilities. Notable changes: * buffer: Zero-fill excess bytes in new `Buffer` objects created with `Buffer.concat()` while providing a `totalLength` parameter that exceeds the total length of the original `Buffer` objects being concatenated. (Сковорода Никита Андреевич) * http: - CVE-2016-5325 - Properly validate for allowable characters in the `reason` argument in `ServerResponse#writeHead()`. Fixes a possible response splitting attack vector. This introduces a new case where `throw` may occur when configuring HTTP responses, users should already be adopting try/catch here. Originally reported independently by Evan Lucas and Romain Gaucher. (Evan Lucas) - Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999. Lack of proper validation may also serve as a potential response splitting attack vector. Backported from v4.x. (Brian White) * openssl: Upgrade to 1.0.1u, fixes a number of defects impacting Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded memory growth", high severity), CVE-2016-2183, CVE-2016-6303, CVE-2016-2178 and CVE-2016-6306. * tls: CVE-2016-7099 - Fix invalid wildcard certificate validation check whereby a TLS server may be able to serve an invalid wildcard certificate for its hostname due to improper validation of `*.` in the wildcard string. Originally reported by Alexander Minozhenko and James Bunton (Atlassian). (Ben Noordhuis) PR-URL: https://github.com/nodejs/node-private/pull/71
46 KiB
Node.js v0.10 ChangeLog
Note: Node.js v0.10 is covered by the Node.js Long Term Support Plan and will be maintained until October 2016.
2016-09-27, Version 0.10.47 (Maintenance), @rvagg
This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/ for details on patched vulnerabilities.
Notable changes:
- buffer: Zero-fill excess bytes in new
Buffer
objects created withBuffer.concat()
while providing atotalLength
parameter that exceeds the total length of the originalBuffer
objects being concatenated. (Сковорода Никита Андреевич) - http:
- CVE-2016-5325 - Properly validate for allowable characters in the
reason
argument inServerResponse#writeHead()
. Fixes a possible response splitting attack vector. This introduces a new case wherethrow
may occur when configuring HTTP responses, users should already be adopting try/catch here. Originally reported independently by Evan Lucas and Romain Gaucher. (Evan Lucas) - Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999. Lack of proper validation may also serve as a potential response splitting attack vector. Backported from v4.x. (Brian White)
- CVE-2016-5325 - Properly validate for allowable characters in the
- openssl: Upgrade to 1.0.1u, fixes a number of defects impacting Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded memory growth", high severity), CVE-2016-2183, CVE-2016-2183, CVE-2016-2178 and CVE-2016-6306.
- tls: CVE-2016-7099 - Fix invalid wildcard certificate validation check whereby a TLS server may be able to serve an invalid wildcard certificate for its hostname due to improper validation of
*.
in the wildcard string. Originally reported by Alexander Minozhenko and James Bunton (Atlassian) (Ben Noordhuis)
Commits:
- [
fc259c7dc4
] - buffer: zero-fill uninitialized bytes in .concat() (Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/67 - [
35b49ed4bb
] - build: turn on -fno-delete-null-pointer-checks (Ben Noordhuis) https://github.com/nodejs/node/pull/6738 - [
03f4920d6a
] - crypto: don't build hardware engines (Rod Vagg) https://github.com/nodejs/node-private/pull/68 - [
1cbdb1957d
] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25368 - [
c66408cd0c
] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) https://github.com/nodejs/node-v0.x-archive/pull/25654 - [
68f88ea792
] - deps: separate sha256/sha512-x86_64.pl for openssl (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25654 - [
884d50b348
] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) https://github.com/nodejs/node/pull/8718 - [
bfd6cb5699
] - deps: upgrade openssl sources to 1.0.1u (Shigeki Ohtsu) https://github.com/nodejs/node/pull/8718 - [
3614a173d0
] - http: check reason chars in writeHead (Evan Lucas) https://github.com/nodejs/node-private/pull/48 - [
f2433430ca
] - http: disallow sending obviously invalid status codes (Evan Lucas) https://github.com/nodejs/node-private/pull/48 - [
0d7e21ee7b
] - lib: make tls.checkServerIdentity() more strict (Ben Noordhuis) https://github.com/nodejs/node-private/pull/62 - [
1f4a6f5bd1
] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25654 - [
88dcc7f5bb
] - v8: fix -Wsign-compare warning in Zone::New() (Ben Noordhuis) https://github.com/nodejs/node-private/pull/62 - [
fd8ac56c75
] - v8: fix build errors with g++ 6.1.1 (Ben Noordhuis) https://github.com/nodejs/node-private/pull/62
2016-06-23, Version 0.10.46 (Maintenance), @rvagg
Notable changes:
This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/ for details on patched vulnerabilities.
- libuv: (CVE-2014-9748) Fixes a bug in the read/write locks implementation for Windows XP and Windows 2003 that can lead to undefined and potentially unsafe behaviour. More information can be found at https://github.com/libuv/libuv/issues/515 or at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/.
- V8: (CVE-2016-1669) Fixes a potential Buffer overflow vulnerability discovered in V8, more details can be found in the CVE at https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1669 or at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/.
Commits:
- [
3374f57973
] - deps: update libuv to 0.10.37 (Saúl Ibarra Corretgé) https://github.com/nodejs/node/pull/7293 - [
fcb9145e29
] - deps: backport 3a9bfec from v8 upstream (Myles Borins) https://github.com/nodejs/node-private/pull/43
2016-05-06, Version 0.10.45 (Maintenance), @rvagg
Notable changes:
- npm: Correct erroneous version number in v2.15.1 code (Forrest L Norvell) https://github.com/nodejs/node/pull/5987
- openssl: Upgrade to v1.0.1t, addressing security vulnerabilities (Shigeki Ohtsu) https://github.com/nodejs/node/pull/6553
- Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check"
- See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/ for full details
Commits:
- [
3cff81c7d6
] - deps: completely upgrade npm in LTS to 2.15.1 (Forrest L Norvell) https://github.com/nodejs/node/pull/5987 - [
7c22f19009
] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) https://github.com/joyent/node/pull/25368 - [
5d78366937
] - deps: update openssl asm files (Shigeki Ohtsu) https://github.com/nodejs/node/pull/6553 - [
2bc2427cb7
] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) https://github.com/joyent/node/pull/25654 - [
8df4b0914c
] - deps: separate sha256/sha512-x86_64.pl for openssl (Shigeki Ohtsu) https://github.com/joyent/node/pull/25654 - [
11eefefb17
] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) https://github.com/nodejs/node/pull/6553 - [
61ccc27b54
] - deps: upgrade openssl sources to 1.0.1t (Shigeki Ohtsu) https://github.com/nodejs/node/pull/6553 - [
aa02438274
] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) https://github.com/joyent/node/pull/25654
2016-03-31, Version 0.10.44 (Maintenance), @rvagg
Notable changes
- npm: Upgrade to v2.15.1. Fixes a security flaw in the use of authentication tokens in HTTP requests that would allow an attacker to set up a server that could collect tokens from users of the command-line interface. Authentication tokens have previously been sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This update fixes this by only including those tokens for requests made against the registry or registries used for the current install. IMPORTANT: This is a major upgrade to npm v2 LTS from the previously deprecated npm v1. (Forrest L Norvell) https://github.com/nodejs/node/pull/5967
- openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on
OPENSSL_NO_WEAK_SSL_CIPHERS
to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (https://github.com/nodejs/LTS/issues/85). (Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712
Commits
- [
feceb77d7e
] - deps: upgrade npm in LTS to 2.15.1 (Forrest L Norvell) https://github.com/nodejs/node/pull/5968 - [
0847954331
] - deps: Disable EXPORT and LOW ciphers in openssl (Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712 - [
6bb86e727a
] - test: change tls tests not to use LOW cipher (Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712 - [
905bec29ad
] - win,build: support Visual C++ Build Tools 2015 (João Reis) https://github.com/nodejs/node/pull/5627
2016-03-04, Version 0.10.43 (Maintenance), @rvagg
Notable changes:
- http_parser: Update to http-parser 1.2 to fix an unintentionally strict limitation of allowable header characters. (James M Snell) https://github.com/nodejs/node/pull/5242
- domains:
- Prevent an exit due to an exception being thrown rather than emitting an
'uncaughtException'
event on theprocess
object when no error handler is set on the domain within which an error is thrown and an'uncaughtException'
event listener is set onprocess
. (Julien Gilli) https://github.com/nodejs/node/pull/3887 - Fix an issue where the process would not abort in the proper function call if an error is thrown within a domain with no error handler and
--abort-on-uncaught-exception
is used. (Julien Gilli) https://github.com/nodejs/node/pull/3887
- Prevent an exit due to an exception being thrown rather than emitting an
- openssl: Upgrade from 1.0.1r to 1.0.1s (Ben Noordhuis) https://github.com/nodejs/node/pull/5508
- Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare cases relating to the internal
BN_hex2bn()
andBN_dec2bn()
functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are unlikely to be possible. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0797 - Fix a defect that makes the CacheBleed Attack (https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0702
- Remove SSLv2 support, the
--enable-ssl2
command line argument will now produce an error. The DROWN Attack (https://drownattack.com/) creates a vulnerability where SSLv2 is enabled by a server, even if a client connection is not using SSLv2. The SSLv2 protocol is widely considered unacceptably broken and should not be supported. More information is available at https://www.openssl.org/news/vulnerabilities.html#2016-0800
Commits:
- [
164157abbb
] - build: update Node.js logo on OSX installer (Rod Vagg) https://github.com/nodejs/node/pull/5401 - [
f8cb0dcf67
] - crypto,tls: remove SSLv2 support (Ben Noordhuis) https://github.com/nodejs/node/pull/5529 - [
42ded2a590
] - deps: upgrade openssl to 1.0.1s (Ben Noordhuis) https://github.com/nodejs/node/pull/5508 - [
1e45a6111c
] - deps: update http-parser to version 1.2 (James M Snell) https://github.com/nodejs/node/pull/5242 - [
6db377b2f4
] - doc: remove SSLv2 descriptions (Shigeki Ohtsu) https://github.com/nodejs/node/pull/5541 - [
563c359f5c
] - domains: fix handling of uncaught exceptions (Julien Gilli) https://github.com/nodejs/node/pull/3887 - [
e483f3fd26
] - test: fix hanging http obstext test (Ben Noordhuis) https://github.com/nodejs/node/pull/5511
2016-02-09, Version 0.10.42 (Maintenance), @jasnell
This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities.
Notable changes
- http: fix defects in HTTP header parsing for requests and responses that can allow request smuggling (CVE-2016-2086) or response splitting (CVE-2016-2216). HTTP header parsing now aligns more closely with the HTTP spec including restricting the acceptable characters.
- http-parser: upgrade from 1.0 to 1.1
- openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the Logjam attack, TLS clients now reject Diffie-Hellman handshakes with parameters shorter than 1024-bits, up from the previous limit of 768-bits.
- src:
- introduce new
--security-revert={cvenum}
command line flag for selective reversion of specific CVE fixes - allow the fix for CVE-2016-2216 to be selectively reverted using
--security-revert=CVE-2016-2216
- introduce new
- build:
- xz compressed tar files will be made available from nodejs.org for v0.10 builds from v0.10.42 onward
- A headers.tar.gz file will be made available from nodejs.org for v0.10 builds from v0.10.42 onward, a future change to node-gyp will be required to make use of these
Commits
- [fdc332183e] - build: enable xz compressed tarballs where possible (Rod Vagg) https://github.com/nodejs/node/pull/4894
- [2d35b421b5] - deps: upgrade openssl sources to 1.0.1r (Shigeki Ohtsu) https://github.com/joyent/node/pull/25368
- [b31c0f3ea4] - deps: update http-parser to version 1.1 (James M Snell)
- [616ec1d6b0] - doc: clarify v0.10.41 openssl tls security impact (Rod Vagg) https://github.com/nodejs/node/pull/4153
- [ccb3c2377c] - http: strictly forbid invalid characters from headers (James M Snell)
- [f0af0d1f96] - src: avoid compiler warning in node_revert.cc (James M Snell)
- [df80e856c6] - src: add --security-revert command line flag (James M Snell)
- [ff58dcdd74] - tools: backport tools/install.py for headers (Richard Lau) https://github.com/nodejs/node/pull/4149
2015-12-04, Version 0.10.41 (Maintenance), @rvagg
Security Update
Notable changes
- build: Add support for Microsoft Visual Studio 2015
- npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry (https://github.com/nodejs/LTS/issues/37). This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2.
- openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers using client certificate authentication; TLS clients are also impacted. Details are available at http://openssl.org/news/secadv/20151203.txt. (Ben Noordhuis) https://github.com/nodejs/node/pull/4133
Commits
- [
16ca0779f5
] - src/node.cc: fix build error without OpenSSL support (Jörg Krause) https://github.com/nodejs/node-v0.x-archive/pull/25862 - [
c559c7911d
] - build: backport tools/release.sh (Rod Vagg) https://github.com/nodejs/node/pull/3965 - [
268d2b4637
] - build: backport config for new CI infrastructure (Rod Vagg) https://github.com/nodejs/node/pull/3965 - [
c88a0b26da
] - build: update manifest to include Windows 10 (Lucien Greathouse) https://github.com/nodejs/node/pull/2838 - [
8564a9f5f7
] - build: gcc version detection on openSUSE Tumbleweed (Henrique Aparecido Lavezzo) https://github.com/nodejs/node-v0.x-archive/pull/25671 - [
9c7bd6de56
] - build: run-ci makefile rule (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686 - [
ffa1e1f31d
] - build: support flaky tests in test-ci (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686 - [
100dd19e61
] - build: support Jenkins via test-ci (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686 - [
ec861f6f90
] - build: make release process easier for multi users (Julien Gilli) https://github.com/nodejs/node-v0.x-archive/pull/25638 - [
d7ae79a452
] - build,win: fix node.exe resource version (João Reis) https://github.com/nodejs/node/pull/3053 - [
6ac47aa9f5
] - build,win: try next MSVS version on failure (João Reis) https://github.com/nodejs/node/pull/2910 - [
e669b27740
] - crypto: replace rwlocks with simple mutexes (Ben Noordhuis) https://github.com/nodejs/node/pull/2723 - [
ce0a48826e
] - deps: upgrade to openssl 1.0.1q (Ben Noordhuis) https://github.com/nodejs/node/pull/4132 - [
b68781e500
] - deps: upgrade npm to 1.4.29 (Forrest L Norvell) https://github.com/nodejs/node/pull/3639 - [
7cf0d9c1d9
] - deps: fix openssl for MSVS 2015 (Andy Polyakov) https://github.com/nodejs/node-v0.x-archive/pull/25857 - [
9ee8a14f9e
] - deps: fix gyp to work on MacOSX without XCode (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25857 - [
a525c7244e
] - deps: update gyp to 25ed9ac (João Reis) https://github.com/nodejs/node-v0.x-archive/pull/25857 - [
6502160294
] - dns: allow v8 to optimize lookup() (Brian White) https://github.com/nodejs/node-v0.x-archive/pull/8942 - [
5d829a63ab
] - doc: backport README.md (Rod Vagg) https://github.com/nodejs/node/pull/3965 - [
62c8948109
] - doc: fix Folders as Modules omission of index.json (Elan Shanker) https://github.com/nodejs/node-v0.x-archive/pull/8868 - [
572663f303
] - https: don't overwrite servername option (skenqbx) https://github.com/nodejs/node-v0.x-archive/pull/9368 - [
75c84b2439
] - test: add test for https agent servername option (skenqbx) https://github.com/nodejs/node-v0.x-archive/pull/9368 - [
841a6dd264
] - test: mark more tests as flaky (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25807 - [
a7fee30da1
] - test: mark test-tls-securepair-server as flaky (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25807 - [
7df57703dd
] - test: mark test-net-error-twice flaky on SmartOS (Julien Gilli) https://github.com/nodejs/node-v0.x-archive/pull/25760 - [
e10892cccc
] - test: make test-abort-fatal-error non flaky (Julien Gilli) https://github.com/nodejs/node-v0.x-archive/pull/25755 - [
a2f879f197
] - test: mark recently failing tests as flaky (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686 - [
e7010bdf92
] - test: runner should return 0 on flaky tests (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686 - [
c283c9bbb3
] - test: support writing test output to file (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686 - [
eeaed586bb
] - test: runner support for flaky tests (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686 - [
3bb8174b94
] - test: refactor to use common testcfg (Timothy J Fontaine) https://github.com/nodejs/node-v0.x-archive/pull/25686 - [
df59d43586
] - tools: pass constant to logger instead of string (Johan Bergström) https://github.com/nodejs/node-v0.x-archive/pull/25686 - [
d103d4ed9a
] - tools: fix test.py after v8 upgrade (Ben Noordhuis) https://github.com/nodejs/node-v0.x-archive/pull/25686 - [
8002192b4e
] - win: manifest node.exe for Windows 8.1 (Alexis Campailla) https://github.com/nodejs/node/pull/2838 - [
66ec1dae8f
] - win: add MSVS 2015 support (Rod Vagg) https://github.com/nodejs/node-v0.x-archive/pull/25857 - [
e192f61514
] - win: fix custom actions for WiX older than 3.9 (João Reis) https://github.com/nodejs/node-v0.x-archive/pull/25569 - [
16bcd68dc5
] - win: fix custom actions on Visual Studio != 2013 (Julien Gilli) https://github.com/nodejs/node-v0.x-archive/pull/25569 - [
517986c2f4
] - win: backport bringing back xp/2k3 support (Bert Belder) https://github.com/nodejs/node-v0.x-archive/pull/25569 - [
10f251e8dd
] - win: backport set env before generating projects (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25569
2015-07-09, Version 0.10.40 (Maintenance)
Commits
- [
0cf9f27703
] - openssl: upgrade to 1.0.1p #25654 - [
5a60e0d904
] - V8: back-port JitCodeEvent patch from upstream (Ben Noordhuis) #25588 - [
18d413d299
] - win,msi: create npm folder in AppData directory (Steven Rockarts) #8838
2015-06-18, Version 0.10.39 (Maintenance)
Commits
- [
456c22f63f
] - openssl: upgrade to 1.0.1o (Addressing multiple CVEs) #25523 - [
9d19dfbfdb
] - install: fix source path for openssl headers (Oguz Bastemur) #14089 - [
4028669531
] - install: make sure opensslconf.h is overwritten (Oguz Bastemur) #14089 - [
d38e865fce
] - timers: fix timeout when added in timer's callback (Julien Gilli) #17203 - [
e7c84f82c7
] - windows: broadcast WM_SETTINGCHANGE after install (Mathias Küsel) #25100
2015-03-23, Version 0.10.38 (Maintenance)
Commits
- [
3b511a8ccd
] - openssl: upgrade to 1.0.1m (Addressing multiple CVES)
2015-03-11, Version 0.10.37 (Maintenance)
Commits
- [
dcff5d565c
] - uv: update to 0.10.36 (CVE-2015-0278) #9274 - [
f2a45caf2e
] - domains: fix stack clearing after error handled (Jonas Dohse) #9364 - [
d01a900078
] - buffer: reword Buffer.concat error message (Chris Dickinson) #8723 - [
c8239c08d7
] - console: allow Object.prototype fields as labels (Julien Gilli) #9215 - [
431eb172f9
] - V8: log version in profiler log file (Ben Noordhuis) #9043 - [
8bcd0a4c4a
] - http: fix performance regression for GET requests (Florin-Cristian Gavrila) #9026
2015-01-26, Version 0.10.36 (Stable)
Commits
- [
deef605085
] - openssl: update to 1.0.1l - [
45f1330425
] - v8: Fix debugger and strict mode regression (Julien Gilli) - [
6ebd85e105
] - v8: don't busy loop in cpu profiler thread (Ben Noordhuis) #8789
2014.12.22, Version 0.10.35 (Stable)
- tls: re-add 1024-bit SSL certs removed by
f9456a2
(Chris Dickinson) - timers: don't close interval timers when unrefd (Julien Gilli)
- timers: don't mutate unref list while iterating it (Julien Gilli)
2014.12.17, Version 0.10.34 (Stable)
- uv: update to v0.10.30
- zlib: upgrade to v1.2.8
- child_process: check execFile args is an array (Sam Roberts)
- child_process: check fork args is an array (Sam Roberts)
- crypto: update root certificates (Ben Noordhuis)
- domains: fix issues with abort on uncaught (Julien Gilli)
- timers: Avoid linear scan in _unrefActive. (Julien Gilli)
- timers: fix unref() memory leak (Trevor Norris)
- v8: add api for aborting on uncaught exception (Julien Gilli)
- debugger: fix when using "use strict" (Julien Gilli)
2014.10.20, Version 0.10.33 (Stable)
-
openssl: Update to 1.0.1j (Addressing multiple CVEs)
-
uv: Update to v0.10.29
-
child_process: properly support optional args (cjihrig)
-
crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)
This is a behavior change, by default we will not allow the negotiation to SSLv2 or SSLv3. If you want this behavior, run Node.js with either
--enable-ssl2
or--enable-ssl3
respectively.This does not change the behavior for users specifically requesting
SSLv2_method
orSSLv3_method
. While this behavior is not advised, it is assumed you know what you're doing since you're specifically asking to use these methods.
2014.09.16, Version 0.10.32 (Stable)
- npm: Update to 1.4.28
- v8: fix a crash introduced by previous release (Fedor Indutny)
- configure: add --openssl-no-asm flag (Fedor Indutny)
- crypto: use domains for any callback-taking method (Chris Dickinson)
- http: do not send
0\r\n\r\n
in TE HEAD responses (Fedor Indutny) - querystring: fix unescape override (Tristan Berger)
- url: Add support for RFC 3490 separators (Mathias Bynens)
2014.08.19, Version 0.10.31 (Stable)
- v8: backport CVE-2013-6668
- openssl: Update to v1.0.1i
- npm: Update to v1.4.23
- cluster: disconnect should not be synchronous (Sam Roberts)
- fs: fix fs.readFileSync fd leak when get RangeError (Jackson Tian)
- stream: fix Readable.wrap objectMode falsy values (James Halliday)
- timers: fix timers with non-integer delay hanging. (Julien Gilli)
2014.07.31, Version 0.10.30 (Stable)
- uv: Upgrade to v0.10.28
- npm: Upgrade to v1.4.21
- v8: Interrupts must not mask stack overflow.
- Revert "stream: start old-mode read in a next tick" (Fedor Indutny)
- buffer: fix sign overflow in
readUIn32BE
(Fedor Indutny) - buffer: improve {read,write}{U}Int* methods (Nick Apperson)
- child_process: handle writeUtf8String error (Fedor Indutny)
- deps: backport 4ed5fde4f from v8 upstream (Fedor Indutny)
- deps: cherry-pick eca441b2 from OpenSSL (Fedor Indutny)
- lib: remove and restructure calls to isNaN() (cjihrig)
- module: eliminate double
getenv()
(Maciej Małecki) - stream2: flush extant data on read of ended stream (Chris Dickinson)
- streams: remove unused require('assert') (Rod Vagg)
- timers: backport
f8193ab
(Julien Gilli) - util.h: interface compatibility (Oguz Bastemur)
- zlib: do not crash on write after close (Fedor Indutny)
2014.06.05, Version 0.10.29 (Stable)
-
openssl: to 1.0.1h (CVE-2014-0224)
-
npm: upgrade to 1.4.14
-
utf8: Prevent Node from sending invalid UTF-8 (Felix Geisendörfer)
- NOTE this introduces a breaking change, previously you could construct invalid UTF-8 and invoke an error in a client that was expecting valid UTF-8, now unmatched surrogate pairs are replaced with the unknown UTF-8 character. To restore the old functionality simply have NODE_INVALID_UTF8 environment variable set.
-
child_process: do not set args before throwing (Greg Sabia Tucker)
-
child_process: spawn() does not throw TypeError (Greg Sabia Tucker)
-
constants: export O_NONBLOCK (Fedor Indutny)
-
crypto: improve memory usage (Alexis Campailla)
-
fs: close file if fstat() fails in readFile() (cjihrig)
-
lib: name EventEmitter prototype methods (Ben Noordhuis)
-
tls: fix performance issue (Alexis Campailla)
2014.05.01, Version 0.10.28 (Stable)
- npm: upgrade to v1.4.9
2014.05.01, Version 0.10.27 (Stable)
- npm: upgrade to v1.4.8
- openssl: upgrade to 1.0.1g
- uv: update to v0.10.27
- dns: fix certain txt entries (Fedor Indutny)
- assert: Ensure reflexivity of deepEqual (Mike Pennisi)
- child_process: fix deadlock when sending handles (Fedor Indutny)
- child_process: fix sending handle twice (Fedor Indutny)
- crypto: do not lowercase cipher/hash names (Fedor Indutny)
- dtrace: workaround linker bug on FreeBSD (Fedor Indutny)
- http: do not emit EOF non-readable socket (Fedor Indutny)
- http: invoke createConnection when no agent (Nathan Rajlich)
- stream: remove useless check (Brian White)
- timer: don't reschedule timer bucket in a domain (Greg Brail)
- url: treat \ the same as / (isaacs)
- util: format as Error if instanceof Error (Rod Vagg)
2014.02.18, Version 0.10.26 (Stable)
- uv: Upgrade to v0.10.25 (Timothy J Fontaine)
- npm: upgrade to 1.4.3 (isaacs)
- v8: support compiling with VS2013 (Fedor Indutny)
- cares: backport TXT parsing fix (Fedor Indutny)
- crypto: throw on SignFinal failure (Fedor Indutny)
- crypto: update root certificates (Ben Noordhuis)
- debugger: Fix breakpoint not showing after restart (Farid Neshat)
- fs: make unwatchFile() insensitive to path (iamdoron)
- net: do not re-emit stream errors (Fedor Indutny)
- net: make Socket destroy() re-entrance safe (Jun Ma)
- net: reset
endEmitted
on reconnect (Fedor Indutny) - node: do not close stdio implicitly (Fedor Indutny)
- zlib: avoid assertion in close (Fedor Indutny)
2014.01.23, Version 0.10.25 (Stable)
- uv: Upgrade to v0.10.23
- npm: Upgrade to v1.3.24
- v8: Fix enumeration for objects with lots of properties
- child_process: fix spawn() optional arguments (Sam Roberts)
- cluster: report more errors to workers (Fedor Indutny)
- domains: exit() only affects active domains (Ryan Graham)
- src: OnFatalError handler must abort() (Timothy J Fontaine)
- stream: writes may return false but forget to emit drain (Yang Tianyang)
2013.12.18, Version 0.10.24 (Stable)
- uv: Upgrade to v0.10.21
- npm: upgrade to 1.3.21
- v8: backport fix for CVE-2013-{6639|6640}
- build: unix install node and dep library headers (Timothy J Fontaine)
- cluster, v8: fix --logfile=%p.log (Ben Noordhuis)
- module: only cache package main (Wyatt Preul)
2013.12.12, Version 0.10.23 (Stable)
- uv: Upgrade to v0.10.20 (Timothy J Fontaine)
- npm: Upgrade to 1.3.17 (isaacs)
- gyp: update to 78b26f7 (Timothy J Fontaine)
- build: include postmortem symbols on linux (Timothy J Fontaine)
- crypto: Make Decipher._flush() emit errors. (Kai Groner)
- dgram: fix abort when getting
fd
of closed dgram (Fedor Indutny) - events: do not accept NaN in setMaxListeners (Fedor Indutny)
- events: avoid calling
once
functions twice (Tim Wood) - events: fix TypeError in removeAllListeners (Jeremy Martin)
- fs: report correct path when EEXIST (Fedor Indutny)
- process: enforce allowed signals for kill (Sam Roberts)
- tls: emit 'end' on .receivedShutdown (Fedor Indutny)
- tls: fix potential data corruption (Fedor Indutny)
- tls: handle
ssl.start()
errors appropriately (Fedor Indutny) - tls: reset NPN callbacks after SNI (Fedor Indutny)
2013.11.12, Version 0.10.22 (Stable)
- npm: Upgrade to 1.3.14
- uv: Upgrade to v0.10.19
- child_process: don't assert on stale file descriptor events (Fedor Indutny)
- darwin: Fix "Not Responding" in Mavericks activity monitor (Fedor Indutny)
- debugger: Fix bug in sb() with unnamed script (Maxim Bogushevich)
- repl: do not insert duplicates into completions (Maciej Małecki)
- src: Fix memory leak on closed handles (Timothy J Fontaine)
- tls: prevent stalls by using read(0) (Fedor Indutny)
- v8: use correct timezone information on Solaris (Maciej Małecki)
2013.10.18, Version 0.10.21 (Stable)
- uv: Upgrade to v0.10.18
- crypto: clear errors from verify failure (Timothy J Fontaine)
- dtrace: interpret two byte strings (Dave Pacheco)
- fs: fix fs.truncate() file content zeroing bug (Ben Noordhuis)
- http: provide backpressure for pipeline flood (isaacs)
- tls: fix premature connection termination (Ben Noordhuis)
2013.09.30, Version 0.10.20 (Stable)
- tls: fix sporadic hang and partial reads (Fedor Indutny)
- fixes "npm ERR! cb() never called!"
2013.09.24, Version 0.10.19 (Stable)
- uv: Upgrade to v0.10.17
- npm: upgrade to 1.3.11
- readline: handle input starting with control chars (Eric Schrock)
- configure: add mips-float-abi (soft, hard) option (Andrei Sedoi)
- stream: objectMode transforms allow falsey values (isaacs)
- tls: prevent duplicate values returned from read (Nathan Rajlich)
- tls: NPN protocols are now local to connections (Fedor Indutny)
2013.09.04, Version 0.10.18 (Stable)
- uv: Upgrade to v0.10.15
- stream: Don't crash on unset _events property (isaacs)
- stream: Pass 'buffer' encoding with decoded writable chunks (isaacs)
2013.08.21, Version 0.10.17 (Stable)
- uv: Upgrade v0.10.14
- http_parser: Do not accept PUN/GEM methods as PUT/GET (Chris Dickinson)
- tls: fix assertion when ssl is destroyed at read (Fedor Indutny)
- stream: Throw on 'error' if listeners removed (isaacs)
- dgram: fix assertion on bad send() arguments (Ben Noordhuis)
- readline: pause stdin before turning off terminal raw mode (Daniel Chatfield)
2013.08.16, Version 0.10.16 (Stable)
- v8: back-port fix for CVE-2013-2882
- npm: Upgrade to 1.3.8
- crypto: fix assert() on malformed hex input (Ben Noordhuis)
- crypto: fix memory leak in randomBytes() error path (Ben Noordhuis)
- events: fix memory leak, don't leak event names (Ben Noordhuis)
- http: Handle hex/base64 encodings properly (isaacs)
- http: improve chunked res.write(buf) performance (Ben Noordhuis)
- stream: Fix double pipe error emit (Eran Hammer)
2013.07.25, Version 0.10.15 (Stable)
- src: fix process.getuid() return value (Ben Noordhuis)
2013.07.25, Version 0.10.14 (Stable)
- uv: Upgrade to v0.10.13
- npm: Upgrade to v1.3.5
- os: Don't report negative times in cpu info (Ben Noordhuis)
- fs: Handle large UID and GID (Ben Noordhuis)
- url: Fix edge-case when protocol is non-lowercase (Shuan Wang)
- doc: Streams API Doc Rewrite (isaacs)
- node: call MakeDomainCallback in all domain cases (Trevor Norris)
- crypto: fix memory leak in LoadPKCS12 (Fedor Indutny)
2013.07.09, Version 0.10.13 (Stable)
- uv: Upgrade to v0.10.12
- npm: Upgrade to 1.3.2
- windows: get proper errno (Ben Noordhuis)
- tls: only wait for finish if we haven't seen it (Timothy J Fontaine)
- http: Dump response when request is aborted (isaacs)
- http: use an unref'd timer to fix delay in exit (Peter Rust)
- zlib: level can be negative (Brian White)
- zlib: allow zero values for level and strategy (Brian White)
- buffer: add comment explaining buffer alignment (Ben Noordhuis)
- string_bytes: properly detect 64bit (Timothy J Fontaine)
- src: fix memory leak in UsingDomains() (Ben Noordhuis)
2013.06.18, Version 0.10.12 (Stable)
- npm: Upgrade to 1.2.32
- readline: make
ctrl + L
clear the screen (Yuan Chuan) - v8: add setVariableValue debugger command (Ben Noordhuis)
- net: Do not destroy socket mid-write (isaacs)
- v8: fix build for mips32r2 architecture (Andrei Sedoi)
- configure: fix cross-compilation host_arch_cc() (Andrei Sedoi)
2013.06.13, Version 0.10.11 (Stable)
- uv: upgrade to 0.10.11
- npm: Upgrade to 1.2.30
- openssl: add missing configuration pieces for MIPS (Andrei Sedoi)
- Revert "http: remove bodyHead from 'upgrade' events" (isaacs)
- v8: fix pointer arithmetic undefined behavior (Trevor Norris)
- crypto: fix utf8/utf-8 encoding check (Ben Noordhuis)
- net: Fix busy loop on POLLERR|POLLHUP on older linux kernels (Ben Noordhuis, isaacs)
2013.06.04, Version 0.10.10 (Stable)
- uv: Upgrade to 0.10.10
- npm: Upgrade to 1.2.25
- url: Properly parse certain oddly formed urls (isaacs)
- stream: unshift('') is a noop (isaacs)
2013.05.30, Version 0.10.9 (Stable)
- npm: Upgrade to 1.2.24
- uv: Upgrade to v0.10.9
- repl: fix JSON.parse error check (Brian White)
- tls: proper .destroySoon (Fedor Indutny)
- tls: invoke write cb only after opposite read end (Fedor Indutny)
- tls: ignore .shutdown() syscall error (Fedor Indutny)
2013.05.24, Version 0.10.8 (Stable)
- v8: update to 3.14.5.9
- uv: upgrade to 0.10.8
- npm: Upgrade to 1.2.23
- http: remove bodyHead from 'upgrade' events (Nathan Zadoks)
- http: Return true on empty writes, not false (isaacs)
- http: save roundtrips, convert buffers to strings (Ben Noordhuis)
- configure: respect the --dest-os flag consistently (Nathan Rajlich)
- buffer: throw when writing beyond buffer (Trevor Norris)
- crypto: Clear error after DiffieHellman key errors (isaacs)
- string_bytes: strip padding from base64 strings (Trevor Norris)
2013.05.17, Version 0.10.7 (Stable)
- uv: upgrade to v0.10.7
- npm: Upgrade to 1.2.21
- crypto: Don't ignore verify encoding argument (isaacs)
- buffer, crypto: fix default encoding regression (Ben Noordhuis)
- timers: fix setInterval() assert (Ben Noordhuis)
2013.05.14, Version 0.10.6 (Stable)
- module: Deprecate require.extensions (isaacs)
- stream: make Readable.wrap support objectMode, empty streams (Daniel Moore)
- child_process: fix handle delivery (Ben Noordhuis)
- crypto: Fix performance regression (isaacs)
- src: DRY string encoding/decoding (isaacs)
2013.04.23, Version 0.10.5 (Stable)
- uv: Upgrade to 0.10.5 (isaacs)
- build: added support for Visual Studio 2012 (Miroslav Bajtoš)
- http: Don't try to destroy nonexistent sockets (isaacs)
- crypto: LazyTransform on properties, not methods (isaacs)
- assert: put info in err.message, not err.name (Ryan Doenges)
- dgram: fix no address bind() (Ben Noordhuis)
- handle_wrap: fix NULL pointer dereference (Ben Noordhuis)
- os: fix unlikely buffer overflow in os.type() (Ben Noordhuis)
- stream: Fix unshift() race conditions (isaacs)
2013.04.11, Version 0.10.4 (Stable)
- uv: Upgrade to 0.10.4
- npm: Upgrade to 1.2.18
- v8: Avoid excessive memory growth in JSON.parse (Fedor Indutny)
- child_process, cluster: fix O(n*m) scan of cmd string (Ben Noordhuis)
- net: fix socket.bytesWritten Buffers support (Fedor Indutny)
- buffer: fix offset checks (Łukasz Walukiewicz)
- stream: call write cb before finish event (isaacs)
- http: Support write(data, 'hex') (isaacs)
- crypto: dh secret should be left-padded (Fedor Indutny)
- process: expose NODE_MODULE_VERSION in process.versions (Rod Vagg)
- crypto: fix constructor call in crypto streams (Andreas Madsen)
- net: account for encoding in .byteLength (Fedor Indutny)
- net: fix buffer iteration in bytesWritten (Fedor Indutny)
- crypto: zero is not an error if writing 0 bytes (Fedor Indutny)
- tls: Re-enable check of CN-ID in cert verification (Tobias Müllerleile)
2013.04.03, Version 0.10.3 (Stable)
- npm: Upgrade to 1.2.17
- child_process: acknowledge sent handles (Fedor Indutny)
- etw: update prototypes to match dtrace provider (Timothy J Fontaine)
- dtrace: pass more arguments to probes (Dave Pacheco)
- build: allow building with dtrace on osx (Dave Pacheco)
- http: Remove legacy ECONNRESET workaround code (isaacs)
- http: Ensure socket cleanup on client response end (isaacs)
- tls: Destroy socket when encrypted side closes (isaacs)
- repl: isSyntaxError() catches "strict mode" errors (Nathan Rajlich)
- crypto: Pass options to ctor calls (isaacs)
- src: tie process.versions.uv to uv_version_string() (Ben Noordhuis)
2013.03.28, Version 0.10.2 (Stable)
- npm: Upgrade to 1.2.15
- uv: Upgrade to 0.10.3
- tls: handle SSL_ERROR_ZERO_RETURN (Fedor Indutny)
- tls: handle errors before calling C++ methods (Fedor Indutny)
- tls: remove harmful unnecessary bounds checking (Marcel Laverdet)
- crypto: make getCiphers() return non-SSL ciphers (Ben Noordhuis)
- crypto: check randomBytes() size argument (Ben Noordhuis)
- timers: do not calculate Timeout._when property (Alexey Kupershtokh)
- timers: fix off-by-one ms error (Alexey Kupershtokh)
- timers: handle signed int32 overflow in enroll() (Fedor Indutny)
- stream: Fix stall in Transform under very specific conditions (Gil Pedersen)
- stream: Handle late 'readable' event listeners (isaacs)
- stream: Fix early end in Writables on zero-length writes (isaacs)
- domain: fix domain callback from MakeCallback (Trevor Norris)
- child_process: don't emit same handle twice (Ben Noordhuis)
- child_process: fix sending utf-8 to child process (Ben Noordhuis)
2013.03.21, Version 0.10.1 (Stable)
- npm: upgrade to 1.2.15
- crypto: Improve performance of non-stream APIs (Fedor Indutny)
- tls: always reset this.ssl.error after handling (Fedor Indutny)
- tls: Prevent mid-stream hangs (Fedor Indutny, isaacs)
- net: improve arbitrary tcp socket support (Ben Noordhuis)
- net: handle 'finish' event only after 'connect' (Fedor Indutny)
- http: Don't hot-path end() for large buffers (isaacs)
- fs: Missing cb errors are deprecated, not a throw (isaacs)
- fs: make write/appendFileSync correctly set file mode (Raymond Feng)
- stream: Return self from readable.wrap (isaacs)
- stream: Never call decoder.end() multiple times (Gil Pedersen)
- windows: enable watching signals with process.on('SIGXYZ') (Bert Belder)
- node: revert removal of MakeCallback (Trevor Norris)
- node: Unwrap without aborting in handle fd getter (isaacs)
2013.03.11, Version 0.10.0 (Stable)
- npm: Upgrade to 1.2.14
- core: Append filename properly in dlopen on windows (isaacs)
- zlib: Manage flush flags appropriately (isaacs)
- domains: Handle errors thrown in nested error handlers (isaacs)
- buffer: Strip high bits when converting to ascii (Ben Noordhuis)
- win/msi: Enable modify and repair (Bert Belder)
- win/msi: Add feature selection for various node parts (Bert Belder)
- win/msi: use consistent registry key paths (Bert Belder)
- child_process: support sending dgram socket (Andreas Madsen)
- fs: Raise EISDIR on Windows when calling fs.read/write on a dir (isaacs)
- unix: fix strict aliasing warnings, macro-ify functions (Ben Noordhuis)
- unix: honor UV_THREADPOOL_SIZE environment var (Ben Noordhuis)
- win/tty: fix typo in color attributes enumeration (Bert Belder)
- win/tty: don't touch insert mode or quick edit mode (Bert Belder)