From 07d8741ddf6b52a249da4a7604437d2e87b694b3 Mon Sep 17 00:00:00 2001 From: Rod Vagg Date: Fri, 4 Dec 2015 22:40:17 +1100 Subject: [PATCH] 2015-12-04, Version 0.12.9 (Stable) Security Update Notable items: * http: Fix a bug where an HTTP socket may no longer have a socket but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) * openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at . (Ben Noordhuis) #4133 PR-URL: https://github.com/nodejs/node-private/pull/13 --- CHANGELOG.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index caac0b020b2..26a797c94a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,19 @@ # Node.js ChangeLog +## 2015-12-04, Version 0.12.9 (LTS), @rvagg + +Security Update + +### Notable changes + +* http: Fix CVE-2015-8027, a bug whereby an HTTP socket may no longer have a parser associated with it but a pipelined request attempts to trigger a pause or resume on the non-existent parser, a potential denial-of-service vulnerability. (Fedor Indutny) +* openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers using client certificate authentication; TLS clients are also impacted. Details are available at . (Ben Noordhuis) https://github.com/nodejs/node/pull/4133 + +### Commits + +* [8d24a14f2c] - deps: upgrade to openssl 1.0.1q (Ben Noordhuis) https://github.com/nodejs/node/pull/4133 +* [dfc6f4a9af] - http: fix pipeline regression (Fedor Indutny) + ## 2015-12-04, Version 0.10.41 (Maintenance), @rvagg Security Update