diff options
| author | Myles Borins <mborins@us.ibm.com> | 2016-03-02 20:48:15 +0300 |
|---|---|---|
| committer | Myles Borins <mborins@us.ibm.com> | 2016-03-02 22:53:00 +0300 |
| commit | c23f6087966be0b8944b71bc238d383080f87573 (patch) | |
| tree | 6dfc620452f86c43e95d0bccb99cf87fbf02ea1f | |
| parent | c133797d09256ca028162647b19f7c1fa333ab66 (diff) | |
2016-03-02, Version 4.3.2 'Argon' (LTS)v4.3.2
This is a security release with only a single commit, an update to openssl due to a recent security advisory. You can read more about the security advisory on the Node.js website (https://nodejs.org/en/blog/vulnerability/openssl-march-2016/)
Notable changes
* openssl
- this upgrade to openssl 1.0.2g. This fixes the security vulnerabilities that are references in this openssl announce (https://mta.openssl.org/pipermail/openssl-announce/2016-February/000063.html)
PR-URL: https://github.com/nodejs/node/pull/5526
| -rw-r--r-- | CHANGELOG.md | 16 | ||||
| -rw-r--r-- | src/node_version.h | 2 |
2 files changed, 17 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ffb6ebdcb4..462d5b1c52d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,21 @@ # Node.js ChangeLog +## 2016-03-02, Version 4.3.2 'Argon' (LTS), @thealphanerd + +This is a security release with only a single commit, an update to openssl due to a recent security advisory. You can read more about the security advisory on [the Node.js website](https://nodejs.org/en/blog/vulnerability/openssl-march-2016/) + +### Notable changes + +* **openssl**: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) [#5507](https://github.com/nodejs/node/pull/5507) + - Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at [CVE-2016-0705](https://www.openssl.org/news/vulnerabilities.html#2016-0705). + - Fix a defect that can cause memory corruption in certain very rare cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely_ to be possible. More info is available at [CVE-2016-0797](https://www.openssl.org/news/vulnerabilities.html#2016-0797). + - Fix a defect that makes the _[CacheBleed Attack](https://ssrg.nicta.com.au/projects/TS/cachebleed/)_ possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at [CVE-2016-0702](https://www.openssl.org/news/vulnerabilities.html#2016-0702). + +## Commits + +* [[`c133797d09`](https://github.com/nodejs/node/commit/c133797d09)] - **deps**: upgrade openssl to 1.0.2g (Ben Noordhuis) [#5507](https://github.com/nodejs/node/pull/5507) + + ## 2016-02-16, Version 4.3.1 'Argon' (LTS), @thealphanerd ### Notable changes diff --git a/src/node_version.h b/src/node_version.h index 40f1fedf92b..e9010103505 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -8,7 +8,7 @@ #define NODE_VERSION_IS_LTS 1 #define NODE_VERSION_LTS_CODENAME "Argon" -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n) |