diff options
author | Myles Borins <mylesborins@google.com> | 2017-12-07 15:07:03 -0500 |
---|---|---|
committer | Myles Borins <mylesborins@google.com> | 2017-12-08 08:55:41 -0500 |
commit | 8a44289089a08b7b19fa3c4651b5f1f5d1edd71b (patch) | |
tree | 980851d98f540e1f39f24f643623760a0a713904 | |
parent | 42f09ed461a5ff63c6630b009903b59bb991781b (diff) | |
download | node-new-8a44289089a08b7b19fa3c4651b5f1f5d1edd71b.tar.gz |
2017-12-08, Version 8.9.3 'Carbon' (LTS)v8.9.3v8.9.3-proposal
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2017-15896
* CVE-2017-15897
* CVE-2017-3738 (from the openssl project)
Notable Changes:
* buffer:
* buffer allocated with an invalid content will now be zero filled
(Anna Henningsen)
https://github.com/nodejs/node/pull/17428
* deps:
* openssl updated to 1.0.2n (Shigeki Ohtsu)
https://github.com/nodejs/node/pull/17526
PR-URL: https://github.com/nodejs/node/pull/17532
-rw-r--r-- | CHANGELOG.md | 3 | ||||
-rw-r--r-- | doc/api/buffer.md | 2 | ||||
-rw-r--r-- | doc/api/http2.md | 16 | ||||
-rw-r--r-- | doc/changelogs/CHANGELOG_V8.md | 41 | ||||
-rw-r--r-- | src/node_version.h | 2 |
5 files changed, 53 insertions, 11 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 76d5b50a93..0065d339f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,7 +27,8 @@ release. </tr> <tr> <td valign="top"> -<b><a href="doc/changelogs/CHANGELOG_V8.md#8.9.2">8.9.2</a></b><br/> +<b><a href="doc/changelogs/CHANGELOG_V8.md#8.9.3">8.9.3</a></b><br/> +<a href="doc/changelogs/CHANGELOG_V8.md#8.9.2">8.9.2</a><br/> <a href="doc/changelogs/CHANGELOG_V8.md#8.9.1">8.9.1</a><br/> <a href="doc/changelogs/CHANGELOG_V8.md#8.9.0">8.9.0</a><br/> <a href="doc/changelogs/CHANGELOG_V8.md#8.8.1">8.8.1</a><br/> diff --git a/doc/api/buffer.md b/doc/api/buffer.md index c9f975770b..4a54a25bfc 100644 --- a/doc/api/buffer.md +++ b/doc/api/buffer.md @@ -511,7 +511,7 @@ console.log(buf2.toString()); <!-- YAML added: v5.10.0 changes: - - version: REPLACEME + - version: v8.9.3 pr-url: https://github.com/nodejs/node/pull/17428 description: Specifying an invalid string for `fill` now results in a zero-filled buffer. diff --git a/doc/api/http2.md b/doc/api/http2.md index 7ae796ec47..3e95ac2a69 100644 --- a/doc/api/http2.md +++ b/doc/api/http2.md @@ -344,7 +344,7 @@ frames have been acknowledged. #### http2session.ping([payload, ]callback) <!-- YAML -added: REPLACEME +added: v8.9.3 --> * `payload` {Buffer|TypedArray|DataView} Optional ping payload. @@ -1473,11 +1473,11 @@ not be emitted. <!-- YAML added: v8.4.0 changes: - - version: REPLACEME + - version: v8.9.3 pr-url: https://github.com/nodejs/node/pull/17105 description: Added the `maxOutstandingPings` option with a default limit of 10. - - version: REPLACEME + - version: v8.9.3 pr-url: https://github.com/nodejs/node/pull/16676 description: Added the `maxHeaderListPairs` option with a default limit of 128 header pairs. @@ -1541,11 +1541,11 @@ server.listen(80); <!-- YAML added: v8.4.0 changes: - - version: REPLACEME + - version: v8.9.3 pr-url: https://github.com/nodejs/node/pull/17105 description: Added the `maxOutstandingPings` option with a default limit of 10. - - version: REPLACEME + - version: v8.9.3 pr-url: https://github.com/nodejs/node/pull/16676 description: Added the `maxHeaderListPairs` option with a default limit of 128 header pairs. @@ -1619,11 +1619,11 @@ server.listen(80); <!-- YAML added: v8.4.0 changes: - - version: REPLACEME + - version: v8.9.3 pr-url: https://github.com/nodejs/node/pull/17105 description: Added the `maxOutstandingPings` option with a default limit of 10. - - version: REPLACEME + - version: v8.9.3 pr-url: https://github.com/nodejs/node/pull/16676 description: Added the `maxHeaderListPairs` option with a default limit of 128 header pairs. @@ -1791,7 +1791,7 @@ server.on('stream', (stream, headers) => { <!-- YAML added: v8.4.0 changes: - - version: REPLACEME + - version: v8.9.3 pr-url: https://github.com/nodejs/node/pull/16676 description: The `maxHeaderListSize` setting is now strictly enforced. --> diff --git a/doc/changelogs/CHANGELOG_V8.md b/doc/changelogs/CHANGELOG_V8.md index 4c4c0ae447..82354ee7e7 100644 --- a/doc/changelogs/CHANGELOG_V8.md +++ b/doc/changelogs/CHANGELOG_V8.md @@ -7,6 +7,7 @@ </tr> <tr> <td valign="top"> +<a href="#8.9.3">8.9.3</a><br/> <a href="#8.9.2">8.9.2</a><br/> <a href="#8.9.1">8.9.1</a><br/> <a href="#8.9.0">8.9.0</a><br/> @@ -45,6 +46,46 @@ [Node.js Long Term Support Plan](https://github.com/nodejs/LTS) and will be supported actively until April 2019 and maintained until December 2019. +<a id="8.9.3"></a> +## 2017-12-08, Version 8.9.3 'Carbon' (LTS), @MylesBorins + +This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ for details on patched vulnerabilities. + +Fixes for the following CVEs are included in this release: + +* CVE-2017-15896 +* CVE-2017-15897 +* CVE-2017-3738 (from the openssl project) + +### Notable Changes + +* **buffer**: + * buffer allocated with an invalid content will now be zero filled (Anna Henningsen) [#17428](https://github.com/nodejs/node/pull/17428) +* **deps**: + * openssl updated to 1.0.2n (Shigeki Ohtsu) [#17526](https://github.com/nodejs/node/pull/17526) + +### Commits + +* [[`b05ef978d3`](https://github.com/nodejs/node/commit/b05ef978d3)] - **buffer**: zero-fill buffer allocated with invalid content (Anna Henningsen) [#17428](https://github.com/nodejs/node/pull/17428) +* [[`18652b6860`](https://github.com/nodejs/node/commit/18652b6860)] - **deps**: update openssl asm and asm_obsolete files (Shigeki Ohtsu) [#17526](https://github.com/nodejs/node/pull/17526) +* [[`e6c308e237`](https://github.com/nodejs/node/commit/e6c308e237)] - **deps**: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) [nodejs/io.js#1836](https://github.com/nodejs/io.js/pull/1836) +* [[`a85f94bd59`](https://github.com/nodejs/node/commit/a85f94bd59)] - **deps**: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) [iojs/io.js#1389](https://github.com/iojs/io.js/pull/1389) +* [[`b5552c854c`](https://github.com/nodejs/node/commit/b5552c854c)] - **deps**: fix openssl assembly error on ia32 win32 (Fedor Indutny) [iojs/io.js#1389](https://github.com/iojs/io.js/pull/1389) +* [[`afad1f23a2`](https://github.com/nodejs/node/commit/afad1f23a2)] - **deps**: copy all openssl header files to include dir (Shigeki Ohtsu) [#17526](https://github.com/nodejs/node/pull/17526) +* [[`9fdd3bddf5`](https://github.com/nodejs/node/commit/9fdd3bddf5)] - **deps**: upgrade openssl sources to 1.0.2n (Shigeki Ohtsu) [#17526](https://github.com/nodejs/node/pull/17526) +* [[`db09f245bf`](https://github.com/nodejs/node/commit/db09f245bf)] - **doc**: warn against filling buffer with invalid data (Anna Henningsen) [#17428](https://github.com/nodejs/node/pull/17428) +* [[`42f09ed461`](https://github.com/nodejs/node/commit/42f09ed461)] - **http2**: use correct connect event for TLS Socket (James M Snell) [#17328](https://github.com/nodejs/node/pull/17328) +* [[`aba3544b50`](https://github.com/nodejs/node/commit/aba3544b50)] - **http2**: use 'close' event instead of 'streamClosed' (James M Snell) [#17328](https://github.com/nodejs/node/pull/17328) +* [[`bd035d75bd`](https://github.com/nodejs/node/commit/bd035d75bd)] - **http2**: general cleanups in core.js (James M Snell) [#17209](https://github.com/nodejs/node/pull/17209) +* [[`a5e3ba2cb3`](https://github.com/nodejs/node/commit/a5e3ba2cb3)] - **http2**: major update to internals (James M Snell) [#17105](https://github.com/nodejs/node/pull/17105) +* [[`d7f37cebed`](https://github.com/nodejs/node/commit/d7f37cebed)] - **http2**: simplify subsequent rstStream calls (Anatoli Papirovski) [#16753](https://github.com/nodejs/node/pull/16753) +* [[`22ee960775`](https://github.com/nodejs/node/commit/22ee960775)] - **http2**: refactor multiple internals (James M Snell) [#16676](https://github.com/nodejs/node/pull/16676) +* [[`319beaf45b`](https://github.com/nodejs/node/commit/319beaf45b)] - **http2**: allocate on every chunk send (James M Snell) [#16669](https://github.com/nodejs/node/pull/16669) +* [[`7d68488524`](https://github.com/nodejs/node/commit/7d68488524)] - **openssl**: fix keypress requirement in apps on win32 (Shigeki Ohtsu) [iojs/io.js#1389](https://github.com/iojs/io.js/pull/1389) +* [[`8e8fac29de`](https://github.com/nodejs/node/commit/8e8fac29de)] - **src**: fix -Winconsistent-missing-override warning (Ben Noordhuis) [#16726](https://github.com/nodejs/node/pull/16726) +* [[`26b43c87ee`](https://github.com/nodejs/node/commit/26b43c87ee)] - **src**: add method to compute storage in WriteWrap (Anna Henningsen) [#16727](https://github.com/nodejs/node/pull/16727) +* [[`99d775ca07`](https://github.com/nodejs/node/commit/99d775ca07)] - **test**: fix flaky test-http2-create-client-connect (David Benjamin) [#16130](https://github.com/nodejs/node/pull/16130) + <a id="8.9.2"></a> ## 2017-12-05, Version 8.9.2 'Carbon' (LTS), @gibfahn diff --git a/src/node_version.h b/src/node_version.h index f615681cc3..e06cb2bced 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -29,7 +29,7 @@ #define NODE_VERSION_IS_LTS 1 #define NODE_VERSION_LTS_CODENAME "Carbon" -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n) |