diff options
| author | James M Snell <jasnell@gmail.com> | 2016-02-08 23:36:05 +0300 |
|---|---|---|
| committer | James M Snell <jasnell@gmail.com> | 2016-02-09 19:42:15 +0300 |
| commit | 58db386a1be17499a444df6a78743c9dfb3cfbe3 (patch) | |
| tree | b4cc107031d175158de264a3bedfae62d07d382f | |
| parent | d94f864abd0933c125afeb84b6f72ec709c63b43 (diff) | |
2016-02-09, Version 4.3.0 'Argon' (LTS)v4.3.0
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Note that this release includes a non-backward compatible change to
address a security issue. This change increases the version of the LTS
v4.x line to v4.3.0. There will be *no further updates* to v4.2.x.
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.5.0 to 2.5.1
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
PR-URL: https://github.com/nodejs/node-private/pull/20
| -rw-r--r-- | CHANGELOG.md | 24 | ||||
| -rw-r--r-- | src/node_version.h | 6 |
2 files changed, 27 insertions, 3 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e39f9096dd..470a86964de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,29 @@ # Node.js ChangeLog +## 2016-02-09, Version 4.3.0 'Argon' (LTS), @jasnell + +This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities. + +Note that this release includes a non-backward compatible change to address a security issue. This change increases the version of the LTS v4.x line to v4.3.0. There will be *no further updates* to v4.2.x. + +### Notable changes + +* **http**: fix defects in HTTP header parsing for requests and responses that can allow request smuggling (CVE-2016-2086) or response splitting (CVE-2016-2216). HTTP header parsing now aligns more closely with the HTTP spec including restricting the acceptable characters. +* **http-parser**: upgrade from 2.5.0 to 2.5.1 +* **openssl**: upgrade from 1.0.2e to 1.0.2f. To mitigate against the Logjam attack, TLS clients now reject Diffie-Hellman handshakes with parameters shorter than 1024-bits, up from the previous limit of 768-bits. +* **src**: + - introduce new `--security-revert={cvenum}` command line flag for selective reversion of specific CVE fixes + - allow the fix for CVE-2016-2216 to be selectively reverted using `--security-revert=CVE-2016-2216` + +### Commits + +* [[`cd07fddc58`](https://github.com/nodejs/node/commit/cd07fddc58)] - **deps**: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) [#1836](https://github.com/nodejs/node/pull/1836) +* [[`b089052846`](https://github.com/nodejs/node/commit/b089052846)] - **deps**: upgrade openssl sources to 1.0.2f (Myles Borins) [#4961](https://github.com/nodejs/node/pull/4961) +* [[`d66b618828`](https://github.com/nodejs/node/commit/d66b618828)] - **(SEMVER-MINOR)** **deps**: update http-parser to version 2.5.1 (James M Snell) +* [[`092d1aeb8a`](https://github.com/nodejs/node/commit/092d1aeb8a)] - **(SEMVER-MINOR)** **http**: strictly forbid invalid characters from headers (James M Snell) +* [[`9bd1b3bbf7`](https://github.com/nodejs/node/commit/9bd1b3bbf7)] - **src**: avoid compiler warning in node_revert.cc (James M Snell) +* [[`3a964ea9d7`](https://github.com/nodejs/node/commit/3a964ea9d7)] - **(SEMVER-MAJOR)** **src**: add --security-revert command line flag (James M Snell) + ## 2016-01-21, Version 4.2.6 'Argon' (LTS), @TheAlphaNerd ### Notable changes diff --git a/src/node_version.h b/src/node_version.h index 1d2730b54b6..baae06c51c5 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -2,13 +2,13 @@ #define SRC_NODE_VERSION_H_ #define NODE_MAJOR_VERSION 4 -#define NODE_MINOR_VERSION 2 -#define NODE_PATCH_VERSION 7 +#define NODE_MINOR_VERSION 3 +#define NODE_PATCH_VERSION 0 #define NODE_VERSION_IS_LTS 1 #define NODE_VERSION_LTS_CODENAME "Argon" -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n) |