diff options
author | Evan Lucas <evanlucas@me.com> | 2017-07-10 18:43:22 +0300 |
---|---|---|
committer | Myles Borins <mylesborins@google.com> | 2017-07-11 02:01:22 +0300 |
commit | 23cb8a0af031b0a6e903daf6611419a135fcca7c (patch) | |
tree | 31835d35ead451cb8640503cabfdcbbb6fe41bba | |
parent | 8a82960e768528068893d3b4a9c4fbe665501694 (diff) |
2017-07-11, Version 7.10.1 (Current)v7.10.1
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
for details on patched vulnerabilities.
* **build**:
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node up to
collision attacks which could result in a Denial of Service. We have
temporarily disabled snapshots until a more robust solution is found
(Ali Ijaz Sheikh)
* **deps**:
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(),
which is used for parsing NAPTR responses, could be triggered to
read memory outside of the given input buffer if the passed in DNS
response packet was crafted in a particular way. This patch checks that
there is enough data for the required elements of an NAPTR record (2
int16, 3 bytes for string lengths) before processing a record. (David
Drysdale)
PR-URL: https://github.com/nodejs/node-private/pull/92
-rw-r--r-- | CHANGELOG.md | 3 | ||||
-rw-r--r-- | doc/changelogs/CHANGELOG_V7.md | 32 | ||||
-rw-r--r-- | src/node_version.h | 2 |
3 files changed, 35 insertions, 2 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index f18cc5b2c8f..cf0eb0c466e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,7 +28,8 @@ release. </tr> <tr> <td valign="top"> - <b><a href="doc/changelogs/CHANGELOG_V7.md#7.10.0">7.10.0</a></b><br/> + <b><a href="doc/changelogs/CHANGELOG_V7.md#7.10.1">7.10.1</a></b><br/> + <a href="doc/changelogs/CHANGELOG_V7.md#7.10.0">7.10.0</a><br/> <a href="doc/changelogs/CHANGELOG_V7.md#7.9.0">7.9.0</a><br/> <a href="doc/changelogs/CHANGELOG_V7.md#7.8.0">7.8.0</a><br/> <a href="doc/changelogs/CHANGELOG_V7.md#7.7.4">7.7.4</a><br/> diff --git a/doc/changelogs/CHANGELOG_V7.md b/doc/changelogs/CHANGELOG_V7.md index cfe6976ea41..59325d60903 100644 --- a/doc/changelogs/CHANGELOG_V7.md +++ b/doc/changelogs/CHANGELOG_V7.md @@ -6,6 +6,7 @@ </tr> <tr> <td> +<a href="#7.10.1">7.10.1</a><br/> <a href="#7.10.0">7.10.0</a><br/> <a href="#7.9.0">7.9.0</a><br/> <a href="#7.8.0">7.8.0</a><br/> @@ -35,6 +36,37 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) +<a id="7.10.1"></a> +## 2017-07-11, Version 7.10.1 (Current), @evanlucas + +This is a security release. All Node.js users should consult the +security release summary at +https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/ +for details on patched vulnerabilities. + +### Notable changes + +* **build**: + - Disable V8 snapshots - The hashseed embedded in the snapshot is + currently the same for all runs of the binary. This opens node up to +collision attacks which could result in a Denial of Service. We have +temporarily disabled snapshots until a more robust solution is found +(Ali Ijaz Sheikh) +* **deps**: + - CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), + which is used for parsing NAPTR responses, could be triggered to +read memory outside of the given input buffer if the passed in DNS +response packet was crafted in a particular way. This patch checks that +there is enough data for the required elements of an NAPTR record (2 +int16, 3 bytes for string lengths) before processing a record. (David +Drysdale) + +### Commits + +* [[`ff587deb54`](https://github.com/nodejs/node/commit/ff587deb54)] - **build**: disable V8 snapshots (Ali Ijaz Sheikh) [nodejs/node-private#84](https://github.com/nodejs/node-private/pull/84) +* [[`8a82960e76`](https://github.com/nodejs/node/commit/8a82960e76)] - **deps**: cherry-pick 9478908a49 from cares upstream (David Drysdale) [nodejs/node-private#88](https://github.com/nodejs/node-private/pull/88) +* [[`b5bf5e8086`](https://github.com/nodejs/node/commit/b5bf5e8086)] - **test**: verify hash seed uniqueness (Ali Ijaz Sheikh) [nodejs/node-private#84](https://github.com/nodejs/node-private/pull/84) + <a id="7.10.0"></a> ## 2017-05-02, Version 7.10.0 (Current), @evanlucas diff --git a/src/node_version.h b/src/node_version.h index 0629b31063b..52f41ac00b3 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -5,7 +5,7 @@ #define NODE_MINOR_VERSION 10 #define NODE_PATCH_VERSION 1 -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n) |