mirror of
https://github.com/nodejs/node.git
synced 2024-11-21 10:59:27 +00:00
2015-12-04, Version 5.1.1 (Stable)
Security Update Notable items: * **http**: Fix a bug where an HTTP socket may no longer have a socket but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) * **openssl**: Upgrade to 1.0.2e, containing fixes for: - CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64", an attack is considered feasible against DH, an attack against RSA and DSA is considered possible but unlikely, EC algorithms are not affected. Details are available at <http://openssl.org/news/secadv/20151203.txt>. - CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Shigeki Ohtsu) #4134 * v8: Backport fixes for a bug in `JSON.stringify()` that can result in out-of-bounds reads for arrays. (Ben Noordhuis) PR-URL: https://github.com/nodejs/node-private/pull/11
This commit is contained in:
parent
e935a5214c
commit
ab009a0955
25
CHANGELOG.md
25
CHANGELOG.md
@ -1,5 +1,30 @@
|
|||||||
# Node.js ChangeLog
|
# Node.js ChangeLog
|
||||||
|
|
||||||
|
## 2015-12-04, Version 5.1.1 (Stable), @rvagg
|
||||||
|
|
||||||
|
### Notable changes
|
||||||
|
|
||||||
|
* **http**: Fix CVE-2015-8027, a bug whereby an HTTP socket may no longer have a parser associated with it but a pipelined request attempts to trigger a pause or resume on the non-existent parser, a potential denial-of-service vulnerability. (Fedor Indutny)
|
||||||
|
* **openssl**: Upgrade to 1.0.2e, containing fixes for:
|
||||||
|
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64", an attack may be possible against a Node.js TLS server using DHE key exchange. Details are available at <http://openssl.org/news/secadv/20151203.txt>.
|
||||||
|
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers using client certificate authentication; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>.
|
||||||
|
(Shigeki Ohtsu) [#4134](https://github.com/nodejs/node/pull/4134)
|
||||||
|
* **v8**: Backport fix for CVE-2015-6764, a bug in `JSON.stringify()` that can result in out-of-bounds reads for arrays. (Ben Noordhuis)
|
||||||
|
|
||||||
|
### Known issues
|
||||||
|
|
||||||
|
* Surrogate pair in REPL can freeze terminal. [#690](https://github.com/nodejs/node/issues/690)
|
||||||
|
* Calling `dns.setServers()` while a DNS query is in progress can cause the process to crash on a failed assertion. [#894](https://github.com/nodejs/node/issues/894)
|
||||||
|
* `url.resolve` may transfer the auth portion of the url when resolving between two full hosts, see [#1435](https://github.com/nodejs/node/issues/1435).
|
||||||
|
* Unicode characters in filesystem paths are not handled consistently across platforms or Node.js APIs. See [#2088](https://github.com/nodejs/node/issues/2088), [#3401](https://github.com/nodejs/node/issues/3401) and [#3519](https://github.com/nodejs/node/issues/3519).
|
||||||
|
|
||||||
|
### Commits
|
||||||
|
|
||||||
|
* [[`678398f250`](https://github.com/nodejs/node/commit/678398f250)] - **deps**: backport a7e50a5 from upstream v8 (Ben Noordhuis)
|
||||||
|
* [[`76a552c938`](https://github.com/nodejs/node/commit/76a552c938)] - **deps**: backport 6df9a1d from upstream v8 (Ben Noordhuis)
|
||||||
|
* [[`533881f889`](https://github.com/nodejs/node/commit/533881f889)] - **deps**: upgrade openssl sources to 1.0.2e (Shigeki Ohtsu) [#4134](https://github.com/nodejs/node/pull/4134)
|
||||||
|
* [[`12e70fafd3`](https://github.com/nodejs/node/commit/12e70fafd3)] - **http**: fix pipeline regression (Fedor Indutny)
|
||||||
|
|
||||||
## 2015-12-04, Version 4.2.3 'Argon' (LTS), @rvagg
|
## 2015-12-04, Version 4.2.3 'Argon' (LTS), @rvagg
|
||||||
|
|
||||||
Security Update
|
Security Update
|
||||||
|
Loading…
Reference in New Issue
Block a user