diff options
author | James M Snell <jasnell@gmail.com> | 2016-02-08 12:48:33 -0800 |
---|---|---|
committer | James M Snell <jasnell@gmail.com> | 2016-02-09 08:41:18 -0800 |
commit | 8d7aa925de0bcbac24fec620364e47d15a116550 (patch) | |
tree | 4a827486a46953ebb0ed37790c37755dbcbd16fd | |
parent | 8e1e25bd52f980abf1633170738da3cec9a9ee5b (diff) | |
download | node-new-0.12.10.tar.gz |
2016-02-09, Version 0.12.10 (LTS)v0.12.10
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes:
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.3.0 to 2.3.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
* build:
- xz compressed tar files will be made available from nodejs.org for
v0.12 builds from v0.12.10 onward
- A headers.tar.gz file will be made available from nodejs.org for
v0.12 builds from v0.12.10 onward, a future change to node-gyp
will be required to make use of these
PR-URL: https://github.com/nodejs/node-private/pull/24
-rw-r--r-- | ChangeLog | 27 | ||||
-rw-r--r-- | src/node_version.h | 2 |
2 files changed, 28 insertions, 1 deletions
@@ -1,3 +1,30 @@ +2016-02-09, Version 0.12.10 (LTS), @jasnell + +This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities. + +Notable changes: + +* http: fix defects in HTTP header parsing for requests and responses that can allow request smuggling (CVE-2016-2086) or response splitting (CVE-2016-2216). HTTP header parsing now aligns more closely with the HTTP spec including restricting the acceptable characters. +* http-parser: upgrade from 2.3.0 to 2.3.1 +* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the Logjam attack, TLS clients now reject Diffie-Hellman handshakes with parameters shorter than 1024-bits, up from the previous limit of 768-bits. +* src: + - introduce new `--security-revert={cvenum}` command line flag for selective reversion of specific CVE fixes + - allow the fix for CVE-2016-2216 to be selectively reverted using `--security-revert=CVE-2016-2216` +* build: + - xz compressed tar files will be made available from nodejs.org for v0.12 builds from v0.12.10 onward + - A headers.tar.gz file will be made available from nodejs.org for v0.12 builds from v0.12.10 onward, a future change to node-gyp will be required to make use of these + +Commits: + +* [4312848bff] - build: enable xz compressed tarballs where possible (Rod Vagg) https://github.com/nodejs/node/pull/4894 +* [247626245c] - deps: upgrade openssl sources to 1.0.1r (Shigeki Ohtsu) https://github.com/joyent/node/pull/25368 +* [744c9749fc] - deps: update http-parser to version 2.3.1 (James M Snell) +* [d1c56ec7d1] - doc: clarify v0.12.9 notable items (Rod Vagg) https://github.com/nodejs/node/pull/4154 +* [e128d9a5b4] - http: strictly forbid invalid characters from headers (James M Snell) +* [bdb9f2cf89] - src: avoiding compiler warnings in node_revert.cc (James M Snell) +* [23bced1fb3] - src: add --security-revert command line flag (James M Snell) +* [f41a3c73e7] - tools: backport tools/install.py for headers (Richard Lau) https://github.com/nodejs/node/pull/4149 + 2015-12-04, Version 0.12.9 (LTS), @rvagg Security Update diff --git a/src/node_version.h b/src/node_version.h index 9384cfef1d..7fae1335c3 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -26,7 +26,7 @@ #define NODE_MINOR_VERSION 12 #define NODE_PATCH_VERSION 10 -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n) |