Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: upgrade openssl to 1.0.2g #5507

Merged
merged 1 commit into from
Mar 1, 2016
Merged

Conversation

bnoordhuis
Copy link
Member

CI: https://ci.nodejs.org/job/node-test-commit/2393/ (all green)

R=@nodejs/crypto

@bnoordhuis bnoordhuis added the crypto Issues and PRs related to the crypto subsystem. label Mar 1, 2016
@mscdex mscdex added the openssl Issues and PRs related to the OpenSSL dependency. label Mar 1, 2016
@indutny
Copy link
Member

indutny commented Mar 1, 2016

LGTM

@bnoordhuis bnoordhuis closed this Mar 1, 2016
@bnoordhuis bnoordhuis deleted the openssl-1.0.2g branch March 1, 2016 18:03
@bnoordhuis bnoordhuis merged commit 3271995 into nodejs:master Mar 1, 2016
@Fishrock123
Copy link
Contributor

Are we hoping to pull this into v5.7.1?

@Fishrock123 Fishrock123 mentioned this pull request Mar 1, 2016
5 tasks
@bnoordhuis
Copy link
Member Author

@Fishrock123 See https://github.com/nodejs/security/issues/40 - the conclusion is that the CVEs that affect node are low impact (i.e. not realistically exploitable.) It shouldn't hurt to pull it in, though.

@jasnell
Copy link
Member

jasnell commented Mar 1, 2016

LGTM

@MylesBorins
Copy link
Contributor

Tests pass locally on v4.x-staging. Unless i hear otherwise I'll be including this in a new v4.4.0 rc that i'll be cutting later today

MylesBorins pushed a commit that referenced this pull request Mar 1, 2016
PR-URL: #5507
Reviewed-By: Fedor Indutny <[email protected]>
MylesBorins pushed a commit that referenced this pull request Mar 1, 2016
PR-URL: #5507
Reviewed-By: Fedor Indutny <[email protected]>
MylesBorins pushed a commit that referenced this pull request Mar 1, 2016
In December we announced that we would be doing a minor release in order to
get a number of voted on SEMVER-MINOR changes into LTS. Our ability to release this
was delayed due to the unforeseen security release v4.3. We are quickly bumping to
v4.4 in order to bring you the features that we had committed to releasing.

This release also includes security updates to openssl. More information can be found [on nodejs.org](https://nodejs.org/en/blog/vulnerability/openssl-march-2016/)

This release also includes over 70 fixes to our docs and over 50 fixes to tests.

The SEMVER-MINOR changes include:
  * deps:
    - An update to v8 that introduces a new flag --perf_basic_prof_only_functions (Ali Ijaz Sheikh) #3609
  * http:
    - A new feature in http(s) agent that catches errors on *keep alived* connections (José F. Romaniello) #4482
  * src:
    - Better support for Big-Endian systems (Bryon Leung) #3410
  * tls:
    - A new feature that allows you to pass common SSL options to `tls.createSecurePair` (Коренберг Марк) #2441
  * tools
    - a new flag `--prof-process` which will execute the tick processor on the provided isolate files (Matt Loring) #4021

Notable semver patch changes include:

  * buld:
    - Support python path that includes spaces. This should be of particular interest to our Windows users who may have python living in `c:/Program Files` (Felix Becker) #4841
  * https:
    - A potential fix for #3692 HTTP/HTTPS client requests throwing EPROTO (Fedor Indutny) #4982
  * installer:
    - More readable profiling information from isolate tick logs (Matt Loring) #3032
  * *npm:
    - upgrade to npm 2.14.20 (Kat Marchán) #5510
  * *openssl:
    - upgrade openssl to 1.0.2g (Ben Noordhuis) #5507
  * process:
    - Add support for symbols in event emitters. Symbols didn't exist when it was written ¯\_(ツ)_/¯ (cjihrig) #4798
  * querystring:
    - querystring.parse() is now 13-22% faster! (Brian White) #4675
  * streams:
    - performance improvements for moving small buffers that shows a 5% throughput gain. IoT projects have been seen to be as much as 10% faster with this change! (Matteo Collina) #4354
  * tools:
    - eslint has been updated to version 2.1.0 (Rich Trott) #5214

PR-URL: #5301
@MylesBorins MylesBorins mentioned this pull request Mar 1, 2016
MylesBorins pushed a commit to MylesBorins/node that referenced this pull request Mar 1, 2016
In December we announced that we would be doing a minor release in order to
get a number of voted on SEMVER-MINOR changes into LTS. Our ability to release this
was delayed due to the unforeseen security release v4.3. We are quickly bumping to
v4.4 in order to bring you the features that we had committed to releasing.

This release also includes security updates to openssl. More information can be found [on nodejs.org](https://nodejs.org/en/blog/vulnerability/openssl-march-2016/)

This release also includes over 70 fixes to our docs and over 50 fixes to tests.

The SEMVER-MINOR changes include:
  * deps:
    - An update to v8 that introduces a new flag --perf_basic_prof_only_functions (Ali Ijaz Sheikh) nodejs#3609
  * http:
    - A new feature in http(s) agent that catches errors on *keep alived* connections (José F. Romaniello) nodejs#4482
  * src:
    - Better support for Big-Endian systems (Bryon Leung) nodejs#3410
  * tls:
    - A new feature that allows you to pass common SSL options to `tls.createSecurePair` (Коренберг Марк) nodejs#2441
  * tools
    - a new flag `--prof-process` which will execute the tick processor on the provided isolate files (Matt Loring) nodejs#4021

Notable semver patch changes include:

  * buld:
    - Support python path that includes spaces. This should be of particular interest to our Windows users who may have python living in `c:/Program Files` (Felix Becker) nodejs#4841
  * https:
    - A potential fix for nodejs#3692 HTTP/HTTPS client requests throwing EPROTO (Fedor Indutny) nodejs#4982
  * installer:
    - More readable profiling information from isolate tick logs (Matt Loring) nodejs#3032
  * *npm:
    - upgrade to npm 2.14.20 (Kat Marchán) nodejs#5510
  * *openssl:
    - upgrade openssl to 1.0.2g (Ben Noordhuis) nodejs#5507
  * process:
    - Add support for symbols in event emitters. Symbols didn't exist when it was written ¯\_(ツ)_/¯ (cjihrig) nodejs#4798
  * querystring:
    - querystring.parse() is now 13-22% faster! (Brian White) nodejs#4675
  * streams:
    - performance improvements for moving small buffers that shows a 5% throughput gain. IoT projects have been seen to be as much as 10% faster with this change! (Matteo Collina) nodejs#4354
  * tools:
    - eslint has been updated to version 2.1.0 (Rich Trott) nodejs#5214

PR-URL: nodejs#5301
MylesBorins pushed a commit that referenced this pull request Mar 2, 2016
PR-URL: #5507
Reviewed-By: Fedor Indutny <[email protected]>
Fishrock123 pushed a commit that referenced this pull request Mar 2, 2016
PR-URL: #5507
Reviewed-By: Fedor Indutny <[email protected]>
@rvagg
Copy link
Member

rvagg commented Mar 2, 2016

We don't need to float patches on top of 1.0.2?

@bnoordhuis
Copy link
Member Author

It wasn't necessary to reapply them, I applied the delta between 1.02f and 1.02g to deps/openssl.

MylesBorins pushed a commit that referenced this pull request Mar 2, 2016
This is a security release with only a single commit, an update to openssl due to a recent security advisory. You can read more about the security advisory on the Node.js website https://nodejs.org/en/blog/vulnerability/openssl-march-2016/

* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) #5507
  - Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at CVE-2016-0705 https://www.openssl.org/news/vulnerabilities.html#2016-0705.
  - Fix a defect that can cause memory corruption in certain very rare cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely_ to be possible. More info is available at CVE-2016-0797 https://www.openssl.org/news/vulnerabilities.html#2016-0797.
  - Fix a defect that makes the _CacheBleed Atta https://ssrg.nicta.com.au/projects/TS/cachebleed/ _ possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at CVE-2016-0702 https://www.openssl.org/news/vulnerabilities.html#2016-0702.

PR-URL: #5526
Fishrock123 added a commit that referenced this pull request Mar 2, 2016
Notable changes:

* governance: The Core Technical Committee (CTC) added four new members
to help guide Node.js core development: Evan Lucas, Rich Trott, Ali
Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda).

* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis)
#5507
  - Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is likely
to be very difficult to use this defect for a practical attack and is
therefore considered low severity for Node.js users. More info is
available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
  - Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code paths
that use these functions so practical attacks via Node.js using this
defect are _unlikely_ to be possible. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
  - Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
defect enables attackers to execute side-channel attacks leading to the
potential recovery of entire RSA private keys. It only affects the
Intel Sandy Bridge (and possibly older) microarchitecture when using
hyper-threading. Newer microarchitectures, including Haswell, are
unaffected. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702

* Fixed several regressions that appeared in v5.7.0:
  - path.relative():
    - Output is no longer unnecessarily verbose (Brian White)
#5389
    - Resolving UNC paths on Windows now works correctly (Owen Smith)
#5456
    - Resolving paths with prefixes now works correctly from the root
directory (Owen Smith) #5490
  - url: Fixed an off-by-one error with `parse()` (Brian White)
#5394
  - dgram: Now correctly handles a default address case when offset and
length are specified (Matteo Collina)
#5407

PR-URL: #5464
Fishrock123 added a commit to Fishrock123/node that referenced this pull request Mar 2, 2016
Notable changes:

* governance: The Core Technical Committee (CTC) added four new members
to help guide Node.js core development: Evan Lucas, Rich Trott, Ali
Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda).

* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis)
nodejs#5507
  - Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is likely
to be very difficult to use this defect for a practical attack and is
therefore considered low severity for Node.js users. More info is
available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
  - Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code paths
that use these functions so practical attacks via Node.js using this
defect are _unlikely_ to be possible. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
  - Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
defect enables attackers to execute side-channel attacks leading to the
potential recovery of entire RSA private keys. It only affects the
Intel Sandy Bridge (and possibly older) microarchitecture when using
hyper-threading. Newer microarchitectures, including Haswell, are
unaffected. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702

* Fixed several regressions that appeared in v5.7.0:
  - path.relative():
    - Output is no longer unnecessarily verbose (Brian White)
nodejs#5389
    - Resolving UNC paths on Windows now works correctly (Owen Smith)
nodejs#5456
    - Resolving paths with prefixes now works correctly from the root
directory (Owen Smith) nodejs#5490
  - url: Fixed an off-by-one error with `parse()` (Brian White)
nodejs#5394
  - dgram: Now correctly handles a default address case when offset and
length are specified (Matteo Collina)
nodejs#5407

PR-URL: nodejs#5464
@Knighton910
Copy link

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
crypto Issues and PRs related to the crypto subsystem. openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants