From d52d85fbd43c4b68100219c1488697fb28b3b347 Mon Sep 17 00:00:00 2001 From: Rod Vagg Date: Fri, 4 Dec 2015 14:06:08 +1100 Subject: [PATCH] 0.10.41, 0.12.9, 4.2.3, 5.1.1 releases and summary post --- locale/en/blog/release/v0.10.41.md | 120 ++++++++++++++++++ locale/en/blog/release/v0.12.9.md | 79 ++++++++++++ locale/en/blog/release/v4.2.3.md | 99 +++++++++++++++ locale/en/blog/release/v5.1.1.md | 99 +++++++++++++++ .../december-2015-security-releases.md | 60 +++++++++ 5 files changed, 457 insertions(+) create mode 100644 locale/en/blog/release/v0.10.41.md create mode 100644 locale/en/blog/release/v0.12.9.md create mode 100644 locale/en/blog/release/v4.2.3.md create mode 100644 locale/en/blog/release/v5.1.1.md create mode 100644 locale/en/blog/vulnerability/december-2015-security-releases.md diff --git a/locale/en/blog/release/v0.10.41.md b/locale/en/blog/release/v0.10.41.md new file mode 100644 index 0000000000000..9b24f52f48fdf --- /dev/null +++ b/locale/en/blog/release/v0.10.41.md @@ -0,0 +1,120 @@ +--- +date: 2015-12-04T03:01:00.000Z +version: 0.10.41 +category: release +title: Node v0.10.41 (Maintenance) +slug: node-v0-10-41 +layout: blog-post.hbs +author: Rod Vagg +--- + +**This is an important security release**. All Node.js users should consult our [December Security Release Summary](/en/blog/vulnerability/december-2015-security-releases/) for details on patched vulnerabilities. + +### New build infrastructure + +This is the first v0.10 release made with the new build infrastructure operated by the Node.js Foundation. Even though we have done our best to ensure that the build processes and tools are as close as possible to the previous infrastructure, it is possible that some unexpected issues arise from the changes. Please file bug reports on the [Node.js GitHub repository](https://github.com/nodejs/node) if you have trouble upgrading from v0.10.40 to v0.10.41. + +### Notable changes + +* **build**: Add support for Microsoft Visual Studio 2015 +* **npm**: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry (https://github.com/nodejs/LTS/issues/37). This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2. +* **openssl**: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers using client authentication; TLS clients are also impacted. Details are available at . (Ben Noordhuis) https://github.com/nodejs/node/pull/4133 + +### Commits + +* [[`16ca0779f5`](https://github.com/nodejs/node/commit/16ca0779f5)] - src/node.cc: fix build error without OpenSSL support (Jörg Krause) [nodejs/node-v0.x-archive#25862](https://github.com/nodejs/node-v0.x-archive/pull/25862) +* [[`c559c7911d`](https://github.com/nodejs/node/commit/c559c7911d)] - **build**: backport tools/release.sh (Rod Vagg) [#3965](https://github.com/nodejs/node/pull/3965) +* [[`268d2b4637`](https://github.com/nodejs/node/commit/268d2b4637)] - **build**: backport config for new CI infrastructure (Rod Vagg) [#3965](https://github.com/nodejs/node/pull/3965) +* [[`c88a0b26da`](https://github.com/nodejs/node/commit/c88a0b26da)] - **build**: update manifest to include Windows 10 (Lucien Greathouse) [#2838](https://github.com/nodejs/node/pull/2838) +* [[`8564a9f5f7`](https://github.com/nodejs/node/commit/8564a9f5f7)] - **build**: gcc version detection on openSUSE Tumbleweed (Henrique Aparecido Lavezzo) [nodejs/node-v0.x-archive#25671](https://github.com/nodejs/node-v0.x-archive/pull/25671) +* [[`9c7bd6de56`](https://github.com/nodejs/node/commit/9c7bd6de56)] - **build**: run-ci makefile rule (Alexis Campailla) [nodejs/node-v0.x-archive#25686](https://github.com/nodejs/node-v0.x-archive/pull/25686) +* [[`ffa1e1f31d`](https://github.com/nodejs/node/commit/ffa1e1f31d)] - **build**: support flaky tests in test-ci (Alexis Campailla) [nodejs/node-v0.x-archive#25686](https://github.com/nodejs/node-v0.x-archive/pull/25686) +* [[`100dd19e61`](https://github.com/nodejs/node/commit/100dd19e61)] - **build**: support Jenkins via test-ci (Alexis Campailla) [nodejs/node-v0.x-archive#25686](https://github.com/nodejs/node-v0.x-archive/pull/25686) +* [[`ec861f6f90`](https://github.com/nodejs/node/commit/ec861f6f90)] - **build**: make release process easier for multi users (Julien Gilli) [nodejs/node-v0.x-archive#25638](https://github.com/nodejs/node-v0.x-archive/pull/25638) +* [[`d7ae79a452`](https://github.com/nodejs/node/commit/d7ae79a452)] - **build,win**: fix node.exe resource version (João Reis) [#3053](https://github.com/nodejs/node/pull/3053) +* [[`6ac47aa9f5`](https://github.com/nodejs/node/commit/6ac47aa9f5)] - **build,win**: try next MSVS version on failure (João Reis) [#2910](https://github.com/nodejs/node/pull/2910) +* [[`e669b27740`](https://github.com/nodejs/node/commit/e669b27740)] - **crypto**: replace rwlocks with simple mutexes (Ben Noordhuis) [#2723](https://github.com/nodejs/node/pull/2723) +* [[`ce0a48826e`](https://github.com/nodejs/node/commit/ce0a48826e)] - **deps**: upgrade to openssl 1.0.1q (Ben Noordhuis) [#4132](https://github.com/nodejs/node/pull/4132) +* [[`b68781e500`](https://github.com/nodejs/node/commit/b68781e500)] - **deps**: upgrade npm to 1.4.29 (Forrest L Norvell) [#3639](https://github.com/nodejs/node/pull/3639) +* [[`7cf0d9c1d9`](https://github.com/nodejs/node/commit/7cf0d9c1d9)] - **deps**: fix openssl for MSVS 2015 (Andy Polyakov) [nodejs/node-v0.x-archive#25857](https://github.com/nodejs/node-v0.x-archive/pull/25857) +* [[`9ee8a14f9e`](https://github.com/nodejs/node/commit/9ee8a14f9e)] - **deps**: fix gyp to work on MacOSX without XCode (Shigeki Ohtsu) [nodejs/node-v0.x-archive#25857](https://github.com/nodejs/node-v0.x-archive/pull/25857) +* [[`a525c7244e`](https://github.com/nodejs/node/commit/a525c7244e)] - **deps**: update gyp to 25ed9ac (João Reis) [nodejs/node-v0.x-archive#25857](https://github.com/nodejs/node-v0.x-archive/pull/25857) +* [[`6502160294`](https://github.com/nodejs/node/commit/6502160294)] - **dns**: allow v8 to optimize lookup() (Brian White) [nodejs/node-v0.x-archive#8942](https://github.com/nodejs/node-v0.x-archive/pull/8942) +* [[`5d829a63ab`](https://github.com/nodejs/node/commit/5d829a63ab)] - **doc**: backport README.md (Rod Vagg) [#3965](https://github.com/nodejs/node/pull/3965) +* [[`62c8948109`](https://github.com/nodejs/node/commit/62c8948109)] - **doc**: fix Folders as Modules omission of index.json (Elan Shanker) [nodejs/node-v0.x-archive#8868](https://github.com/nodejs/node-v0.x-archive/pull/8868) +* [[`572663f303`](https://github.com/nodejs/node/commit/572663f303)] - **https**: don't overwrite servername option (skenqbx) [nodejs/node-v0.x-archive#9368](https://github.com/nodejs/node-v0.x-archive/pull/9368) +* [[`75c84b2439`](https://github.com/nodejs/node/commit/75c84b2439)] - **test**: add test for https agent servername option (skenqbx) [nodejs/node-v0.x-archive#9368](https://github.com/nodejs/node-v0.x-archive/pull/9368) +* [[`841a6dd264`](https://github.com/nodejs/node/commit/841a6dd264)] - **test**: mark more tests as flaky (Alexis Campailla) [nodejs/node-v0.x-archive#25807](https://github.com/nodejs/node-v0.x-archive/pull/25807) +* [[`a7fee30da1`](https://github.com/nodejs/node/commit/a7fee30da1)] - **test**: mark test-tls-securepair-server as flaky (Alexis Campailla) [nodejs/node-v0.x-archive#25807](https://github.com/nodejs/node-v0.x-archive/pull/25807) +* [[`7df57703dd`](https://github.com/nodejs/node/commit/7df57703dd)] - **test**: mark test-net-error-twice flaky on SmartOS (Julien Gilli) [nodejs/node-v0.x-archive#25760](https://github.com/nodejs/node-v0.x-archive/pull/25760) +* [[`e10892cccc`](https://github.com/nodejs/node/commit/e10892cccc)] - **test**: make test-abort-fatal-error non flaky (Julien Gilli) [nodejs/node-v0.x-archive#25755](https://github.com/nodejs/node-v0.x-archive/pull/25755) +* [[`a2f879f197`](https://github.com/nodejs/node/commit/a2f879f197)] - **test**: mark recently failing tests as flaky (Alexis Campailla) [nodejs/node-v0.x-archive#25686](https://github.com/nodejs/node-v0.x-archive/pull/25686) +* [[`e7010bdf92`](https://github.com/nodejs/node/commit/e7010bdf92)] - **test**: runner should return 0 on flaky tests (Alexis Campailla) [nodejs/node-v0.x-archive#25686](https://github.com/nodejs/node-v0.x-archive/pull/25686) +* [[`c283c9bbb3`](https://github.com/nodejs/node/commit/c283c9bbb3)] - **test**: support writing test output to file (Alexis Campailla) [nodejs/node-v0.x-archive#25686](https://github.com/nodejs/node-v0.x-archive/pull/25686) +* [[`eeaed586bb`](https://github.com/nodejs/node/commit/eeaed586bb)] - **test**: runner support for flaky tests (Alexis Campailla) [nodejs/node-v0.x-archive#25686](https://github.com/nodejs/node-v0.x-archive/pull/25686) +* [[`3bb8174b94`](https://github.com/nodejs/node/commit/3bb8174b94)] - **test**: refactor to use common testcfg (Timothy J Fontaine) [nodejs/node-v0.x-archive#25686](https://github.com/nodejs/node-v0.x-archive/pull/25686) +* [[`df59d43586`](https://github.com/nodejs/node/commit/df59d43586)] - **tools**: pass constant to logger instead of string (Johan Bergström) [nodejs/node-v0.x-archive#25686](https://github.com/nodejs/node-v0.x-archive/pull/25686) +* [[`d103d4ed9a`](https://github.com/nodejs/node/commit/d103d4ed9a)] - **tools**: fix test.py after v8 upgrade (Ben Noordhuis) [nodejs/node-v0.x-archive#25686](https://github.com/nodejs/node-v0.x-archive/pull/25686) +* [[`8002192b4e`](https://github.com/nodejs/node/commit/8002192b4e)] - **win**: manifest node.exe for Windows 8.1 (Alexis Campailla) [#2838](https://github.com/nodejs/node/pull/2838) +* [[`66ec1dae8f`](https://github.com/nodejs/node/commit/66ec1dae8f)] - **win**: add MSVS 2015 support (Rod Vagg) [nodejs/node-v0.x-archive#25857](https://github.com/nodejs/node-v0.x-archive/pull/25857) +* [[`e192f61514`](https://github.com/nodejs/node/commit/e192f61514)] - **win**: fix custom actions for WiX older than 3.9 (João Reis) [nodejs/node-v0.x-archive#25569](https://github.com/nodejs/node-v0.x-archive/pull/25569) +* [[`16bcd68dc5`](https://github.com/nodejs/node/commit/16bcd68dc5)] - **win**: fix custom actions on Visual Studio != 2013 (Julien Gilli) [nodejs/node-v0.x-archive#25569](https://github.com/nodejs/node-v0.x-archive/pull/25569) +* [[`517986c2f4`](https://github.com/nodejs/node/commit/517986c2f4)] - **win**: backport bringing back xp/2k3 support (Bert Belder) [nodejs/node-v0.x-archive#25569](https://github.com/nodejs/node-v0.x-archive/pull/25569) +* [[`10f251e8dd`](https://github.com/nodejs/node/commit/10f251e8dd)] - **win**: backport set env before generating projects (Alexis Campailla) [nodejs/node-v0.x-archive#25569](https://github.com/nodejs/node-v0.x-archive/pull/25569) + +Windows 32-bit Installer: https://nodejs.org/dist/v0.10.41/node-v0.10.41-x86.msi
+Windows 64-bit Installer: https://nodejs.org/dist/v0.10.41/x64/node-v0.10.41-x64.msi
+Windows 32-bit Binary: https://nodejs.org/dist/v0.10.41/node.exe
+Windows 64-bit Binary: https://nodejs.org/dist/v0.10.41/x64/node.exe
+Mac OS X Universal Installer: https://nodejs.org/dist/v0.10.41/node-v0.10.41.pkg
+Mac OS X 64-bit Binary: https://nodejs.org/dist/v0.10.41/node-v0.10.41-darwin-x64.tar.gz
+Mac OS X 32-bit Binary: https://nodejs.org/dist/v0.10.41/node-v0.10.41-darwin-x86.tar.gz
+Linux 32-bit Binary: https://nodejs.org/dist/v0.10.41/node-v0.10.41-linux-x86.tar.gz
+Linux 64-bit Binary: https://nodejs.org/dist/v0.10.41/node-v0.10.41-linux-x64.tar.gz
+SunOS 32-bit Binary: https://nodejs.org/dist/v0.10.41/node-v0.10.41-sunos-x86.tar.gz
+SunOS 64-bit Binary: https://nodejs.org/dist/v0.10.41/node-v0.10.41-sunos-x64.tar.gz
+Source Code: https://nodejs.org/dist/v0.10.41/node-v0.10.41.tar.gz
+Other release files: https://nodejs.org/dist/v0.10.41/
+Documentation: https://nodejs.org/docs/v0.10.41/api/ + +Shasums (GPG signing hash: SHA512, file hash: SHA256): + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa node.exe +14e149298807914ed19dc9f21634213b5063a818e792ce3c49ae97cac4369c69 node.exp +3f8993ccd878d174a835d5cae866aef0a422d8bac5a34e80ea52b9e2d59d56ce node.lib +ddfb1017678ef1fd3849f94782a5e030a2bce67ed7d5ad0b58b9d77cb761802a node.pdb +f55050a8774828846670fea91695a8da754768021cf1121cf91f788bb3e89d20 node-v0.10.41-darwin-x64.tar.gz +d0deae5ea05b8fae90ca98851e55dbd0fe8b88dab5ed658ebdb61d3e47bc0a5e node-v0.10.41-darwin-x86.tar.gz +2d8f14df7ae2fd999d0b0f9c1b2129f749976325b392bec3cb62827ac639fcaf node-v0.10.41-headers.tar.gz +ebda18d4c6545ac42b3404d629504feea0b2b9e7c7fa68de2a5bcc9059a6dc6c node-v0.10.41-linux-x64.tar.gz +5ab658a14106c4625cadf6976dde223ef5b332d60b03413515764b783eb452ef node-v0.10.41-linux-x86.tar.gz +be6021fe1a80862429771ca9f4d088172ad00edf9977663f1c444a84c963500d node-v0.10.41.pkg +9621df2ffed088f87632c5f4d176e5d49438fce5aeb7b4ce8d2eff0de153a5bf node-v0.10.41-sunos-x64.tar.gz +a5f5ed4d8200e231323db083f3f2735cec13ac6584523b94ac953ad0e4874b66 node-v0.10.41-sunos-x86.tar.gz +79f694e2a5c42543b75d0c69f6860499d7593136d0f6b59e7163b9e66fb2c995 node-v0.10.41.tar.gz +fc51bf38e59d987b1b9db961bee9d88e77f8f0ccff56708ed2d9d0a72392c366 node-v0.10.41-x86.msi +759cd124a5531b90a35e8d56f10e41ec3840c3b37e4b1c425ca67fa421931120 openssl-cli.exe +04bbdfa2be16892d43307d5df3c0fdaa3604acaf11d0b002252362cba8b83420 openssl-cli.pdb +4d07bd6392f3c01898c0786343330de7a6ea7a833645914d5040aeaba5179a66 x64/node.exe +65d0ccd489710bd87d4676778c98758e0769b5716567fd05e88b616553babb1d x64/node.exp +6890afff5ba7b5bc04633fa8dec2bbb4d3547035660cd84882f24045ebfbeb36 x64/node.lib +9963d814a03572c83e434dea2dceb02b7a2cf517c7efe12b4221860707b3c343 x64/node.pdb +783533a090fe300e576cefed2a3eb20c5161f3a59b63f8e7b91262d1b94e0846 x64/node-v0.10.41-x64.msi +16b4aa6a3e24f91934439f0145c05f324ea8a1d14df22f49bc999e6c1df85789 x64/openssl-cli.exe +4e2282b67be0f9b6d788909c79003ab7d120eb717ca27d53bddf07aa9bdfb65d x64/openssl-cli.pdb +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQEcBAEBAgAGBQJWYP1dAAoJEMJzeS99g1Rd6hMH/i1BBJpXYRCNv96xaEL+xBhr +T5FHnj3X8etyuTlnEi/EmXbK1xAzH6K6mY2/X61bQpDlg7q24xT3mCI/4WvmyDAG +9gRcmW1Mcv+OcoBXWxQoRBw9d8MukoNjokFJ+29d753UyEq4xr7HAKOpW9L/motI +HdpUonfYqrHzSemhmkD3rL832GcyReRPF3/pkTzfh8Ss22cV255DG0VPRNgU12Fz +J8ztBizg23iAzJOMHb5Tq8tDUgvUt6W46qRm4hqniTOaB9O7e52+k967jgvi5xmm +TkRPiYggUprEYQh1pxHX4GEYeVBXNnACpc/keck0dVOhpGfnB4iYy4/P246Vz3w= +=Tkdg +-----END PGP SIGNATURE----- +``` diff --git a/locale/en/blog/release/v0.12.9.md b/locale/en/blog/release/v0.12.9.md new file mode 100644 index 0000000000000..de586b5e43b4b --- /dev/null +++ b/locale/en/blog/release/v0.12.9.md @@ -0,0 +1,79 @@ +--- +date: 2015-12-04T03:02:00.000Z +version: 0.12.9 +category: release +title: Node v0.12.9 (LTS) +slug: node-v0-12-9 +layout: blog-post.hbs +author: Rod Vagg +--- + +**This is an important security release**. All Node.js users should consult our [December Security Release Summary](/en/blog/vulnerability/december-2015-security-releases/) for details on patched vulnerabilities. + +### Notable changes + +* **http**: Fix a bug where an HTTP socket may no longer have an associated parser but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) +* **openssl**: Upgrade to 1.0.1q, fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers using client authentication; TLS clients are also impacted. Details are available at . (Ben Noordhuis) https://github.com/nodejs/node/pull/4133 + +### Commits + +* [[`8d24a14f2c`](https://github.com/nodejs/node/commit/8d24a14f2c)] - **deps**: upgrade to openssl 1.0.1q (Ben Noordhuis) [#4133](https://github.com/nodejs/node/pull/4133) +* [[`dfc6f4a9af`](https://github.com/nodejs/node/commit/dfc6f4a9af)] - **http**: fix pipeline regression (Fedor Indutny) + + +Windows 32-bit Installer: https://nodejs.org/dist/v0.12.9/node-v0.12.9-x86.msi
+Windows 64-bit Installer: https://nodejs.org/dist/v0.12.9/x64/node-v0.12.9-x64.msi
+Windows 32-bit Binary: https://nodejs.org/dist/v0.12.9/node.exe
+Windows 64-bit Binary: https://nodejs.org/dist/v0.12.9/x64/node.exe
+Mac OS X Universal Installer: https://nodejs.org/dist/v0.12.9/node-v0.12.9.pkg
+Mac OS X 64-bit Binary: https://nodejs.org/dist/v0.12.9/node-v0.12.9-darwin-x64.tar.gz
+Mac OS X 32-bit Binary: https://nodejs.org/dist/v0.12.9/node-v0.12.9-darwin-x86.tar.gz
+Linux 32-bit Binary: https://nodejs.org/dist/v0.12.9/node-v0.12.9-linux-x86.tar.gz
+Linux 64-bit Binary: https://nodejs.org/dist/v0.12.9/node-v0.12.9-linux-x64.tar.gz
+SunOS 32-bit Binary: https://nodejs.org/dist/v0.12.9/node-v0.12.9-sunos-x86.tar.gz
+SunOS 64-bit Binary: https://nodejs.org/dist/v0.12.9/node-v0.12.9-sunos-x64.tar.gz
+Source Code: https://nodejs.org/dist/v0.12.9/node-v0.12.9.tar.gz
+Other release files: https://nodejs.org/dist/v0.12.9/
+Documentation: https://nodejs.org/docs/v0.12.9/api/ + +Shasums (GPG signing hash: SHA512, file hash: SHA256): + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +ca0bb8e1a2c1e5c23bbd1f8f6e4859f279532a820767f2a356fafd74c7a96dc9 node.exe +9a197cf39b61dec42fcdccf3b3f6f3289c9720186647d4474e39fa0e575bb0a6 node.exp +3ece6db1d6dc791c414d84324f41d3b3bae6ae57bd1c6185e9fb1802fbc5ef37 node.lib +c8435274e80cdb80cced49ef724f3c53b3f1439eb3b8fca022f0b18b4bcea3b7 node.pdb +8a40582c8f346f4acb08ab29bdc171db5fea55603999e02be1ebfcdd2ed3ca83 node-v0.12.9-darwin-x64.tar.gz +a89d21abe0eaae1fd4cd4753a7ccde5bb60188148742281f1b36830bb02d50fd node-v0.12.9-darwin-x86.tar.gz +0da8dd9dd5bbfa821d4e957a0687f3cc39bc6cbc45f75d6751107142141426ca node-v0.12.9-headers.tar.gz +3416451924c9c996e1d7224f5e5507df84b90dc730d4760e3f4daac1bd4c44df node-v0.12.9-linux-x64.tar.gz +07b25b4a886b1b04d427b2b6414c9e4a913f53bb9574c26f010b35984b70df10 node-v0.12.9-linux-x86.tar.gz +8fa10d973e2dc7296fb5620ddede5a55e87a332762593437ab8db61051045e67 node-v0.12.9.pkg +460a75865d6155dc39794204214c567a239b319122caf116a60f870f0987b720 node-v0.12.9-sunos-x64.tar.gz +039c710094ac76bea7027cf37daceb5708e46cac0bd082d7004c9710ad77ad1f node-v0.12.9-sunos-x86.tar.gz +35daad301191e5f8dd7e5d2fbb711d081b82d1837d59837b8ee224c256cfe5e4 node-v0.12.9.tar.gz +1f57e2fff78519569abced323c6206fc1bd32a1d374c6a05537b2873a88a7928 node-v0.12.9-x86.msi +a765092067696be8b49736b6fce2986350a1c7581be105cf935d85636bbe809e openssl-cli.exe +ee5c379a4a6f5d8640af18d811566b5dacd0ae242e70928114b95825bacd3fd4 openssl-cli.pdb +e8b4a1307332a65c5c699c1b4a4006ffd12f187a3ab9cad8f5d8e2c408a488e6 x64/node.exe +8eb895b612690d8ab2fd06c89d3f289f4e07a9a9292bb9f8cd6c6b8cc09bd05d x64/node.exp +e12d3ae12103ab7d879f4c1f6ac1da77239c73cc4599fe142a7b465837ce23b6 x64/node.lib +a2d7f30af6c1e97e306cc3481e4caa2fa7e8380344acee9f8e25a6121a2df01a x64/node.pdb +0d9913cb6ec8f0ea0cc9718e569a465397884b8a68863e21276866b8d394553f x64/node-v0.12.9-x64.msi +8943965f64d7495c6e8097916558826095472ecf64cd9bdc6ea52bd706aa086f x64/openssl-cli.exe +98ad5e5ff48f486a0844db9398776021c3ba23c384d3a7a2d1229e37563394c2 x64/openssl-cli.pdb +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQEcBAEBAgAGBQJWYPz5AAoJEMJzeS99g1RdYvMH/jyTZyBiFjtNrkETy4BlfhMr +LYmB22yTK9wTyb4SNwta1TO8WXOHg9NwH4VVAHXgBrMeIpgV8DJyGjHW2AhibFyB +NohDdcyIbzCciR07AsA9Vqa1u9ZFUNLzH/+5389eIINyhJTUB1gtlKxX/IbQ+luS ++Iy99sEu8RiaOmwus7vsY0agvatm7k8nUOVheQlXUh8OH3nYxqDKzTxdzxJm1j9k +cL0RWYErA5b/LRLeRAHJG9uz81Jd/EiArhe+7FBLTrJVl69Ruk/nPeUrbKR/D2MC +Kjd5mEfYSGwDV9YcGecLDq7CQAhscaBqQyFoynE8dOB46wW2PyV9NkYPC5TP9RE= +=F7h4 +-----END PGP SIGNATURE----- +``` diff --git a/locale/en/blog/release/v4.2.3.md b/locale/en/blog/release/v4.2.3.md new file mode 100644 index 0000000000000..f5a81a18510f2 --- /dev/null +++ b/locale/en/blog/release/v4.2.3.md @@ -0,0 +1,99 @@ +--- +date: 2015-12-04T03:03:00.000Z +version: 4.2.3 +category: release +title: Node v4.2.3 "Argon" (LTS) +slug: node-v4-2-3 +layout: blog-post.hbs +author: Rod Vagg +--- + +**This is an important security release**. All Node.js users should consult our [December Security Release Summary](/en/blog/vulnerability/december-2015-security-releases/) for details on patched vulnerabilities. + +### Notable changes + +* **http**: Fix a bug where an HTTP socket may no longer have an associated parser but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) +* **openssl**: Upgrade to 1.0.2e, containing fixes for: + - CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64", an attack may be feasible against a Node.js TLS server using DHE key exchange. Details are available at . + - CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers using client authentication; TLS clients are also impacted. Details are available at . + (Shigeki Ohtsu) [#4134](https://github.com/nodejs/node/pull/4134) +* **v8**: Backport fixes for a bug in `JSON.stringify()` that can result in out-of-bounds reads for arrays. (Ben Noordhuis) + +### Known issues + +* Some problems with unreferenced timers running during `beforeExit` are still to be resolved. See [#1264](https://github.com/nodejs/node/issues/1264). +* Surrogate pair in REPL can freeze terminal. [#690](https://github.com/nodejs/node/issues/690) +* Calling `dns.setServers()` while a DNS query is in progress can cause the process to crash on a failed assertion. [#894](https://github.com/nodejs/node/issues/894) +* `url.resolve` may transfer the auth portion of the url when resolving between two full hosts, see [#1435](https://github.com/nodejs/node/issues/1435). + +### Commits + +* [[`49bbd563be`](https://github.com/nodejs/node/commit/49bbd563be)] - **deps**: upgrade openssl sources to 1.0.2e (Shigeki Ohtsu) [#4134](https://github.com/nodejs/node/pull/4134) +* [[`9a063fd492`](https://github.com/nodejs/node/commit/9a063fd492)] - **deps**: backport a7e50a5 from upstream v8 (Ben Noordhuis) [nodejs/node-private#8](https://github.com/nodejs/node-private/pull/8) +* [[`07233206e9`](https://github.com/nodejs/node/commit/07233206e9)] - **deps**: backport 6df9a1d from upstream v8 (Ben Noordhuis) [nodejs/node-private#8](https://github.com/nodejs/node-private/pull/8) +* [[`1c8e6de78e`](https://github.com/nodejs/node/commit/1c8e6de78e)] - **http**: fix pipeline regression (Fedor Indutny) [nodejs/node-private#5](https://github.com/nodejs/node-private/pull/5) + + + +Windows 32-bit Installer: https://nodejs.org/dist/v4.2.3/node-v4.2.3-x86.msi
+Windows 64-bit Installer: https://nodejs.org/dist/v4.2.3/node-v4.2.3-x64.msi
+Windows 32-bit Binary: https://nodejs.org/dist/v4.2.3/win-x86/node.exe
+Windows 64-bit Binary: https://nodejs.org/dist/v4.2.3/win-x64/node.exe
+Mac OS X 64-bit Installer: https://nodejs.org/dist/v4.2.3/node-v4.2.3.pkg
+Mac OS X 64-bit Binary: https://nodejs.org/dist/v4.2.3/node-v4.2.3-darwin-x64.tar.gz
+Linux 32-bit Binary: https://nodejs.org/dist/v4.2.3/node-v4.2.3-linux-x86.tar.gz
+Linux 64-bit Binary: https://nodejs.org/dist/v4.2.3/node-v4.2.3-linux-x64.tar.gz
+SunOS 32-bit Binary: https://nodejs.org/dist/v4.2.3/node-v4.2.3-sunos-x86.tar.gz
+SunOS 64-bit Binary: https://nodejs.org/dist/v4.2.3/node-v4.2.3-sunos-x64.tar.gz
+ARMv6 32-bit Binary: https://nodejs.org/dist/v4.2.3/node-v4.2.3-linux-armv6l.tar.gz
+ARMv7 32-bit Binary: https://nodejs.org/dist/v4.2.3/node-v4.2.3-linux-armv7l.tar.gz
+ARMv8 64-bit Binary: https://nodejs.org/dist/v4.2.3/node-v4.2.3-linux-arm64.tar.gz
+Source Code: https://nodejs.org/dist/v4.2.3/node-v4.2.3.tar.gz
+Other release files: https://nodejs.org/dist/v4.2.3/
+Documentation: https://nodejs.org/docs/v4.2.3/api/ + +Shasums (GPG signing hash: SHA512, file hash: SHA256): +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +078b033d98367da2248b443ed74f0b8a5808783d07cf0c24884457fd66b68fc1 node-v4.2.3-darwin-x64.tar.gz +9890cba5c90e6bd0465140dda2471e3545a7fd19a8f927af8f6c6ce145cb33d1 node-v4.2.3-darwin-x64.tar.xz +e8fab75b9183a4f35c358813e3c5d451daf2fef737a21494f7aa64bdd538c87c node-v4.2.3-headers.tar.gz +27d79e6b6f1613f9a9cb97f6cfecd0cb710bc6719f24cae2e284b8693eb40d1e node-v4.2.3-headers.tar.xz +9ec1becd52959920a0f06c92f01b3c3e8c09dd35b4b4f591d975f1975a5f1689 node-v4.2.3-linux-arm64.tar.gz +d6b7233fe980b647bb4349ec577387baf38177cf5952596358b1c3ee7dd11fc6 node-v4.2.3-linux-arm64.tar.xz +50b158bc4c324e78bc5ceb08e2d5e6aefb34f2570798e7ac4fd12bacd6733478 node-v4.2.3-linux-armv6l.tar.gz +095fe43b1a224ec1afae2ee9c19586fddfe4135fea6c1f3cec9907128a436203 node-v4.2.3-linux-armv6l.tar.xz +bebe529dd9ef576193cd7ef40f3f8a16f51317251b624f5e6a9998861b1778f3 node-v4.2.3-linux-armv7l.tar.gz +f5faa99318d7c89de6706b5d7e3602fd613eb7fd002222f7674d28136311cc13 node-v4.2.3-linux-armv7l.tar.xz +644d4c0b206ebcb75383fbe42f6025e7253a61992816289359d0f4dcdb6087d7 node-v4.2.3-linux-x64.tar.gz +feac5b14a28fa32513bcbbbee1712e24996597510d9d1718ce8b0e22e019f8a2 node-v4.2.3-linux-x64.tar.xz +fd30b15327348520dc840bb95a1441d0495e7a843d5a7ec102f012aedc1b3a75 node-v4.2.3-linux-x86.tar.gz +6706cb10ea2252ddd167bcedb77e9884eee3ce2a683a9e21ec417e9084a9187a node-v4.2.3-linux-x86.tar.xz +0d72b52f99291bef3961ca78b9add920524eae84b4879c0e003546bd28f7a604 node-v4.2.3.pkg +28096b317320bec8d40263975bdc3fdd1b77c941304abcb3fd6c106970b3a936 node-v4.2.3-sunos-x64.tar.gz +d647fe76ffe5bb8d3359d0d9196e972b3f7ca895246c5e7379b3e1c0e1539697 node-v4.2.3-sunos-x64.tar.xz +b37e7652c5d0e08c6c2087e03c0fa860ab55b9c005db33c50373de891eb48dba node-v4.2.3-sunos-x86.tar.gz +e5ef81350f32320fca5067573b391a1a4ebcc5b9b73e27d60317f6f6b7ff3881 node-v4.2.3-sunos-x86.tar.xz +5008ade5feb4b089f59163f66bffddc113f27de5d78edf203e39435c2c5d554f node-v4.2.3.tar.gz +9e8aef1e47b317575c421c8d10a80e6c319b26969b566d3b84e49e65a92837f4 node-v4.2.3.tar.xz +3dc276d247684cf45ace30fb99bc44e1af1467108075016a4cd17f980aae086a node-v4.2.3-x64.msi +a425efc379bca298f3bb1395aafbf851b1d8c6c27fdacf5155bbf4b0b0749332 node-v4.2.3-x86.msi +b987313753634a22e79876fa42b8e85ef33d735164d291416d60bbd7b1ff2603 win-x64/node.exe +109e4dc21a761e5a0707798f6c7575faac5c5f83fda8f6903aea05a89e5e9a14 win-x64/node.lib +ecc0e06bce6e95d849ba2224a3e0666537da08b0e99e132b39633a53d670c05f win-x86/node.exe +dc35cce7b4928c7635d1ab0b76b6cea35b5029ca4241191dc126a0fc16bd0382 win-x86/node.lib +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQEcBAEBAgAGBQJWYPvzAAoJEMJzeS99g1RdUDAH/0vQha25eANiUxKhIMOWFAF6 +CdsqGDVjfHq6NsUfx3Ehlwu0gVGpDNDU4Pi7M5unXd17UzOlvFBnqGdY5Hcz/4w+ +bA2UMJQwr8O28FJ0rShGrYThlM0YMMHnJKtECRzsv54FuCUaUiKkB2omqPY/0aIZ +nHeqAyfvR1y4k/Elx9y2Ni3tMaikQBAeMif7exIYvTrB8H5P4lZoEECRBt1/If87 +ui9CRj28Q0fv9HS24iQuXCf4sNhMLq2JEgzH7hzG35GZijj9fby9k/loq8NXs7li +5p4YId7nQhciSaAY3zS1JaUnofBdg35zIIorz4fJZ5dLreeZN7XCjC7eqFpsjMg= +=GNHn +-----END PGP SIGNATURE----- + +``` diff --git a/locale/en/blog/release/v5.1.1.md b/locale/en/blog/release/v5.1.1.md new file mode 100644 index 0000000000000..64cabee1f7863 --- /dev/null +++ b/locale/en/blog/release/v5.1.1.md @@ -0,0 +1,99 @@ +--- +date: 2015-12-04T03:04:00.000Z +version: 5.1.1 +category: release +title: Node v5.1.1 (Stable) +slug: node-v5-1-1 +layout: blog-post.hbs +author: Rod Vagg +--- + +**This is an important security release**. All Node.js users should consult our [December Security Release Summary](/en/blog/vulnerability/december-2015-security-releases/) for details on patched vulnerabilities. + +### Notable changes + +* **http**: Fix a bug where an HTTP socket may no longer have an associated parser but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) +* **openssl**: Upgrade to 1.0.2e, containing fixes for: + - CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64", an attack may be feasible against a Node.js TLS server using DHE key exchange. Details are available at . + - CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers using client authentication; TLS clients are also impacted. Details are available at . + (Shigeki Ohtsu) [#4134](https://github.com/nodejs/node/pull/4134) +* **v8**: Backport fixes for a bug in `JSON.stringify()` that can result in out-of-bounds reads for arrays. (Ben Noordhuis) + +### Known issues + +* Surrogate pair in REPL can freeze terminal. [#690](https://github.com/nodejs/node/issues/690) +* Calling `dns.setServers()` while a DNS query is in progress can cause the process to crash on a failed assertion. [#894](https://github.com/nodejs/node/issues/894) +* `url.resolve` may transfer the auth portion of the url when resolving between two full hosts, see [#1435](https://github.com/nodejs/node/issues/1435). +* Unicode characters in filesystem paths are not handled consistently across platforms or Node.js APIs. See [#2088](https://github.com/nodejs/node/issues/2088), [#3401](https://github.com/nodejs/node/issues/3401) and [#3519](https://github.com/nodejs/node/issues/3519). + +### Commits + +* [[`678398f250`](https://github.com/nodejs/node/commit/678398f250)] - **deps**: backport a7e50a5 from upstream v8 (Ben Noordhuis) +* [[`76a552c938`](https://github.com/nodejs/node/commit/76a552c938)] - **deps**: backport 6df9a1d from upstream v8 (Ben Noordhuis) +* [[`533881f889`](https://github.com/nodejs/node/commit/533881f889)] - **deps**: upgrade openssl sources to 1.0.2e (Shigeki Ohtsu) [#4134](https://github.com/nodejs/node/pull/4134) +* [[`12e70fafd3`](https://github.com/nodejs/node/commit/12e70fafd3)] - **http**: fix pipeline regression (Fedor Indutny) + + + +Windows 32-bit Installer: https://nodejs.org/dist/v5.1.1/node-v5.1.1-x86.msi
+Windows 64-bit Installer: https://nodejs.org/dist/v5.1.1/node-v5.1.1-x64.msi
+Windows 32-bit Binary: https://nodejs.org/dist/v5.1.1/win-x86/node.exe
+Windows 64-bit Binary: https://nodejs.org/dist/v5.1.1/win-x64/node.exe
+Mac OS X 64-bit Installer: https://nodejs.org/dist/v5.1.1/node-v5.1.1.pkg
+Mac OS X 64-bit Binary: https://nodejs.org/dist/v5.1.1/node-v5.1.1-darwin-x64.tar.gz
+Linux 32-bit Binary: https://nodejs.org/dist/v5.1.1/node-v5.1.1-linux-x86.tar.gz
+Linux 64-bit Binary: https://nodejs.org/dist/v5.1.1/node-v5.1.1-linux-x64.tar.gz
+SunOS 32-bit Binary: https://nodejs.org/dist/v5.1.1/node-v5.1.1-sunos-x86.tar.gz
+SunOS 64-bit Binary: https://nodejs.org/dist/v5.1.1/node-v5.1.1-sunos-x64.tar.gz
+ARMv6 32-bit Binary: https://nodejs.org/dist/v5.1.1/node-v5.1.1-linux-armv6l.tar.gz
+ARMv7 32-bit Binary: https://nodejs.org/dist/v5.1.1/node-v5.1.1-linux-armv7l.tar.gz
+ARMv8 64-bit Binary: https://nodejs.org/dist/v5.1.1/node-v5.1.1-linux-arm64.tar.gz
+Source Code: https://nodejs.org/dist/v5.1.1/node-v5.1.1.tar.gz
+Other release files: https://nodejs.org/dist/v5.1.1/
+Documentation: https://nodejs.org/docs/v5.1.1/api/ + +Shasums (GPG signing hash: SHA512, file hash: SHA256): +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +cb6c831e7c3a8432a14a0e4ddb2000295c0166abce06b2d50134cc2cccb2dc9c node-v5.1.1-darwin-x64.tar.gz +12566e3edfc24ad0efebcfa20ceed79ca87811bafe2c8b92432ff4614885c6ef node-v5.1.1-darwin-x64.tar.xz +cc320d0a3df073e9e92816d5698d69ade780ce854f26146539f0b29cb5be616a node-v5.1.1-headers.tar.gz +f0dba3ef1f953a8ebb4c610a1279a48ed1ba57fe24ab7783fd0fedadeaba3f9c node-v5.1.1-headers.tar.xz +1723abf50ee9b2b2209af06374523ae657c5562166bdc44b7b8d32801484c572 node-v5.1.1-linux-arm64.tar.gz +5fefa92daf840076947a7ac2e97bcd2dcf35e1c632251b5ba73357318c8a7a1f node-v5.1.1-linux-arm64.tar.xz +e7b154a5f7574155df5e3b5df90af762ab0edde128e36eeac0bd8ba2a8f00697 node-v5.1.1-linux-armv6l.tar.gz +30011d4caca9d07e076c11beed7e2c67c0e4e3b20ac29cb80d479db1131ab78f node-v5.1.1-linux-armv6l.tar.xz +fd96f77310708097cf9e783b9842122a4e2859674965734b7b22a615cb756165 node-v5.1.1-linux-armv7l.tar.gz +ac0b4e73a180406883d8c5700623966093f0442988facf024d59129fa9017434 node-v5.1.1-linux-armv7l.tar.xz +0c1a0788dfc07d1cfac08b9789f0e52950e80e61944e1684b27600463a5d2623 node-v5.1.1-linux-x64.tar.gz +0de39988d293434eedb2c78e48dddfa5cb7c7f77cb4a1e6c2e4af4d44caf10aa node-v5.1.1-linux-x64.tar.xz +30099a0f305899aacdfd974873807b6bd8b6971c0a26209220a6e4cd88c08d70 node-v5.1.1-linux-x86.tar.gz +e00bf38d9e24b4631ea0ff089ffeea39f37512900ca9e50628e716ecb0083184 node-v5.1.1-linux-x86.tar.xz +7311f4848381ded99fd5415e818337efb9b9138656fbab80eb5fcf7f42d7bde8 node-v5.1.1.pkg +14dfdf63f1ac8c9972199e7a62d8c732cf269e081aec6caa9e0e3f46d116d486 node-v5.1.1-sunos-x64.tar.gz +1c45a06cd78ef236cfb331a43677ca514b1e5f9d52603c608fae998986f43cfb node-v5.1.1-sunos-x64.tar.xz +11ccaadb1e22b3c80548686caf19070c34017667866285fe8b6cb8b9e6afca30 node-v5.1.1-sunos-x86.tar.gz +3971913cfce5182b626b761e7435811837542424da8d84d146383b37bba6ff95 node-v5.1.1-sunos-x86.tar.xz +a779e024f800b5ec51f375fa1c14eda7254216daa36a1960cc1e4195b9fc22c3 node-v5.1.1.tar.gz +b3aaa01051576425afce753d30b16be67f391222ff445b0c716ccf9e12d1b94b node-v5.1.1.tar.xz +d008ca8791145cf64db1a6ffc177fd70766619953d46570a1e39258c23001ed2 node-v5.1.1-x64.msi +cea518f4bccc4818f77f09bb7c6e77a1b84d3cff91f2316d9d1596bf0af484bb node-v5.1.1-x86.msi +482cc88532d945e9e867c7f25f8182062dc8446b4457a6906a4bfdfafae9b947 win-x64/node.exe +82feb5cf14a34da483795ba2c012e63d405f36125912f6ac7584072618bf46da win-x64/node.lib +0e86bac3fd75a07631b8048cd69dd515105a4e4c5bd300716bbf8678afce758e win-x86/node.exe +ed4c4367f53e14e5bd3feb35446aa3f1f533892455fc646cd5efa8b7cfce24dc win-x86/node.lib +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQEcBAEBAgAGBQJWYPxuAAoJEMJzeS99g1RdDagIAKhiCiWHO3jRsTew/tHxROuQ +AA88yXh2SHafXgkE5/iSxAb/oecOOZLQGjg3MrIZnwgZJweqjFmePLc6XiEZNDU5 +FiN/8SUTknW8no30SIr6yaE7S//Lw1xpeZLgYsjcqeKJ32P11hQ1TdfbXIigR0AM +EhZs4m55X76mD4+wn6LnZeQxoxdXtsk+HHhNGesPOiNw0dpaVidkWqzISvSHy6lS +zTD35CUdmjaHezu680il2WED3aublrRBwTmaXowUHnUGI0JQtUDkcA9ohMrfqO8F +PwoGrXDYw8YIZWUux4Jc3kBbgA+PsyVWw31hdT1mJjYqP9SIaGIbsh1j1dCsC7g= +=8elM +-----END PGP SIGNATURE----- + +``` diff --git a/locale/en/blog/vulnerability/december-2015-security-releases.md b/locale/en/blog/vulnerability/december-2015-security-releases.md new file mode 100644 index 0000000000000..7a8521f6adf1c --- /dev/null +++ b/locale/en/blog/vulnerability/december-2015-security-releases.md @@ -0,0 +1,60 @@ +--- +date: 2015-12-04T03:05:00.000Z +category: vulnerability +title: December Security Release Summary +slug: december-2015-security-releases +layout: blog-post.hbs +author: Rod Vagg +--- + +Last week we [announced](https://groups.google.com/d/msg/nodejs-sec/Zf7Nxtg230E/eX4UCWf0BAAJ) the planned release of patch updates to the v0.12.x, v4.x and v5.x lines to fix two vulnerabilities. That was further amended by the [announcement](https://mta.openssl.org/pipermail/openssl-announce/2015-November/000045.html) of OpenSSL updates with fixes for vulnerabilities labelled _medium_ severity. The OpenSSL update impacts all active release lines, including v0.10.x. + +Today we have released Node.js [v0.10.41 (Maintenance)](/en/blog/release/v0.10.41/), [v0.12.9 (LTS)](/en/blog/release/v0.12.9/), [v4.2.3 "Argon" (LTS)](/en/blog/release/v4.2.3/) and [v5.1.1 (Stable)](/en/blog/release/v5.1.1/) with fixes for the announced vulnerabilities and updates to OpenSSL. + +For the purpose of understanding the impact that the fixed vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances we are providing details below. + +### CVE-2015-8027 Denial of Service Vulnerability + +This critical denial of service (DoS) vulnerability impacts all versions of v0.12.x through to v5.x, inclusive. The vulnerability was discovered by Node.js core team member Fedor Indutny and relates to HTTP pipelining. Under certain conditions an HTTP socket may no longer have a parser associated with it but a pipelined request can trigger a pause or resume on the non-existent parser thereby causing an `uncaughtException` to be thrown. As these conditions can be created by an external attacker and cause a Node.js service to be shut down we consider this a critical vulnerability. It is recommended that users of impacted versions of Node.js exposing HTTP services upgrade to the appropriate patched versions as soon as practical. + +* Versions 0.10.x of Node.js are not affected. +* Versions 0.12.x of Node.js are **vulnerable**, please upgrade to [v0.12.9 (LTS)](/en/blog/release/v0.12.9/). +* Versions 4.x, including LTS Argon, of Node.js are **vulnerable**, please upgrade to [v4.2.3 "Argon" (LTS)](/en/blog/release/v4.2.3/). +* Versions 5.x of Node.js are **vulnerable**, please upgrade to [v5.1.1 (Stable)](/en/blog/release/v5.1.1/). + +### CVE-2015-6764 V8 Out-of-bounds Access Vulnerability + +A bug was discovered in V8's implementation of `JSON.stringify()` that can result in out-of-bounds reads on arrays. The patch was included in this week's [update of Chrome Stable](http://googlechromereleases.blogspot.nl/2015/12/stable-channel-update.html). While this bug is high severity for browsers, it is considered lower risk for Node.js users as it requires the execution of third-party JavaScript within an application in order to be exploitable. + +Node.js users who expose services that process untrusted user-supplied JavaScript are at obvious risk. However, we recommend that all users of impacted versions of Node.js upgrade to the appropriate patched version in order to protect against malicious third-party JavaScript that may be executed within a Node.js process by other means. + +* Versions 0.10.x of Node.js are not affected. +* Versions 0.12.x of Node.js are not affected. +* Versions 4.x, including LTS Argon, of Node.js are **vulnerable**, please upgrade to [v4.2.3 "Argon" (LTS)](/en/blog/release/v4.2.3/). +* Versions 5.x of Node.js are **vulnerable**, please upgrade to [v5.1.1 (Stable)](/en/blog/release/v5.1.1/). + +### CVE-2015-3193 OpenSSL BN_mod_exp may produce incorrect results on x86_64 + +A bug exists in OpenSSL v1.0.2 in the [Montgomery squaring](https://en.wikipedia.org/wiki/Exponentiation_by_squaring#Montgomery.27s_ladder_technique) procedure on the x64 architecture that expose potential attack vectors. Attacks against RSA and DSA are considered possible but with a very high degree of difficulty. Attacks against DHE key exchange is considered feasible but difficult. EC algorithms are not vulnerable. Node.js TLS servers using DHE key exchange are considered at highest risk although it is believed that Node.js' existing use of `SSL_OP_SINGLE_DH_USE` may make [DHE attacks impractical](https://blog.fuzzing-project.org/31-Fuzzing-Math-miscalculations-in-OpenSSLs-BN_mod_exp-CVE-2015-3193.html). Details are available at . + +OpenSSL v1.0.2 is used in Node.js v4.x LTS and v5.x. It is strongly recommended that Node.js users exposing TLS servers upgrade to patched versions as soon as practical. + +* Versions 0.10.x of Node.js are not affected. +* Versions 0.12.x of Node.js are not affected. +* Versions 4.x, including LTS Argon, of Node.js are **vulnerable**, please upgrade to [v4.2.3 "Argon" (LTS)](/en/blog/release/v4.2.3/). +* Versions 5.x of Node.js are **vulnerable**, please upgrade to [v5.1.1 (Stable)](/en/blog/release/v5.1.1/). + +### CVE-2015-3194 OpenSSL Certificate verify crash with missing PSS parameter + +A bug exists in OpenSSL v1.0.1 and v1.0.2 that may cause a crash during certificate verification procedures when supplied with a malformed ASN.1 signature using the RSA PSS algorithm. This may be used as a the basis of a denial of service (DoS) attack against Node.js TLS servers using client authentication. Node.js TLS clients are also impacted if supplied with malformed certificates for verification. Details are available at . + +OpenSSL v1.0.0 is used in Node.js v0.10.x and v0.12.x. OpenSSL v1.0.2 is used in Node.js v4.x LTS and v5.x. It is strongly recommended that Node.js users employing either TLS client or server code upgrade as soon as practical. + +* Versions 0.10.x of Node.js are **vulnerable**, please upgrade to [v0.10.41 (Maintenance)](/en/blog/release/v0.10.41/). +* Versions 0.12.x of Node.js are **vulnerable**, please upgrade to [v0.12.9 (LTS)](/en/blog/release/v0.12.9/). +* Versions 4.x, including LTS Argon, of Node.js are **vulnerable**, please upgrade to [v4.2.3 "Argon" (LTS)](/en/blog/release/v4.2.3/). +* Versions 5.x of Node.js are **vulnerable**, please upgrade to [v5.1.1 (Stable)](/en/blog/release/v5.1.1/). + +**Note:** Node.js users are not considered vulnerable to the two additional announced OpenSSL vulnerabilities: CVE-2015-3195 "X509_ATTRIBUTE memory leak" and CVE-2015-3196 "Race condition handling PSK identify hint". However, fixes for these bugs are included with the new versions of OpenSSL bundled with the newly patched versions of Node.js. + +