Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V4.3.2 proposal #5526

Merged
merged 2 commits into from
Mar 2, 2016
Merged

V4.3.2 proposal #5526

merged 2 commits into from
Mar 2, 2016

Conversation

MylesBorins
Copy link
Contributor

2016-03-02, Version 4.3.2 'Argon' (LTS), @thealphanerd

This is a security release with only a single commit, an update to openssl due to a recent security advisory. You can read more about the security advisory on the Node.js website

Notable changes

  • openssl
    • this upgrade to openssl 1.0.2g. This fixes the security vulnerabilities that are references in this openssl announce

@bnoordhuis @MylesBorins
deps: upgrade openssl to 1.0.2g
c133797 
PR-URL: #5507
Reviewed-By: Fedor Indutny <[email protected]>
@MylesBorins
Copy link
Contributor Author

ci: https://ci.nodejs.org/job/node-test-pull-request/1809/
citgm: https://ci.nodejs.org/job/thealphanerd-smoker/99/

/cc @nodejs/lts

edit: if everything goes well here it is my hope to have this release go out this afternoon followed by a new v4.4.0-rc which rolls in these changes.

edit: seems like lots of infra failures on linux. Re-running CI job --> https://ci.nodejs.org/job/node-test-commit-linux/2495/

citgm looks a-ok!

edit: linux job looks fine now.

@evanlucas
Copy link
Contributor

In the commit message:

this upgrade to openssl 1.0.2g. This fixes the security vulnerabilities that are references in this openssl announce

would be clearer like:

Upgrade to openssl 1.0.2g. This fixes the security vulnerabilities that are referenced in this openssl announcement.

@MylesBorins MylesBorins added meta Issues and PRs related to the general management of the project. v4.x labels Mar 2, 2016
@MylesBorins MylesBorins mentioned this pull request Mar 2, 2016
Closed
@MylesBorins
Copy link
Contributor Author

@evanlucas updated

@rvagg
Copy link
Member

rvagg commented Mar 2, 2016

See Notable changes test at #5433 (comment), I've made it so it can stand alone and addresses the Node.js-specific items.

@MylesBorins
Copy link
Contributor Author

Thanks @rvagg updated the notable changes

@MylesBorins MylesBorins force-pushed the v4.3.2-proposal branch 2 times, most recently from fae749b to 992e74f Compare March 2, 2016 19:35
MylesBorins pushed a commit that referenced this pull request Mar 2, 2016
2016-03-02, Version 4.3.2 'Argon' (LTS)
992e74f 
This is a security release with only a single commit, an update to openssl due to a recent security advisory. You can read more about the security advisory on the Node.js website (https://nodejs.org/en/blog/vulnerability/openssl-march-2016/)

Notable changes

* openssl
  - this upgrade to openssl 1.0.2g. This fixes the security vulnerabilities that are references in this openssl announce (https://mta.openssl.org/pipermail/openssl-announce/2016-February/000063.html)

PR-URL: #5526
@MylesBorins
Copy link
Contributor Author

Build job for release --> https://ci.nodejs.org/job/iojs+release/434/

2016-03-02, Version 4.3.2 'Argon' (LTS)
c23f608 
This is a security release with only a single commit, an update to openssl due to a recent security advisory. You can read more about the security advisory on the Node.js website (https://nodejs.org/en/blog/vulnerability/openssl-march-2016/)

Notable changes

* openssl
  - this upgrade to openssl 1.0.2g. This fixes the security vulnerabilities that are references in this openssl announce (https://mta.openssl.org/pipermail/openssl-announce/2016-February/000063.html)

PR-URL: #5526
@rvagg
Copy link
Member

rvagg commented Mar 2, 2016

release commit didn't update the notable changes, not sure it's a big deal but we should aim for consistency in future

@MylesBorins MylesBorins merged commit c23f608 into v4.x Mar 2, 2016
MylesBorins pushed a commit that referenced this pull request Mar 2, 2016
Working on v4.3.3
692eada 
PR-URL: #5526
MylesBorins pushed a commit that referenced this pull request Mar 2, 2016
2016-03-02, Version 4.3.2 'Argon' (LTS)
d6608ed 
This is a security release with only a single commit, an update to openssl due to a recent security advisory. You can read more about the security advisory on the Node.js website https://nodejs.org/en/blog/vulnerability/openssl-march-2016/

* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) #5507
  - Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at CVE-2016-0705 https://www.openssl.org/news/vulnerabilities.html#2016-0705.
  - Fix a defect that can cause memory corruption in certain very rare cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely_ to be possible. More info is available at CVE-2016-0797 https://www.openssl.org/news/vulnerabilities.html#2016-0797.
  - Fix a defect that makes the _CacheBleed Atta https://ssrg.nicta.com.au/projects/TS/cachebleed/ _ possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at CVE-2016-0702 https://www.openssl.org/news/vulnerabilities.html#2016-0702.

PR-URL: #5526
@MylesBorins MylesBorins deleted the v4.3.2-proposal branch March 2, 2016 22:11
@trevnorris
Copy link
Contributor

@thealphanerd I think this may have landed on master...

@trevnorris
Copy link
Contributor

At least, i'm curious why the commit message is "2016-03-02, Version 4.3.2 'Argon' (LTS)"

@MylesBorins
Copy link
Contributor Author

I just cherry-picked the release commit to master. That is the process we have been doing for cherry-picking the changelogs

You can see past examples of this in my commit history --> https://github.com/nodejs/node/commits/master?author=TheAlphaNerd

@trevnorris
Copy link
Contributor

@thealphanerd Sorry, my bad. I'd only noticed the v5 cherry-picks onto master in the past. not the v4. nm me :)

This was referenced Mar 2, 2016
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
meta Issues and PRs related to the general management of the project.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@MylesBorins @evanlucas @rvagg @trevnorris @bnoordhuis