From 23cb8a0af031b0a6e903daf6611419a135fcca7c Mon Sep 17 00:00:00 2001 From: Evan Lucas Date: Mon, 10 Jul 2017 10:43:22 -0500 Subject: 2017-07-11, Version 7.10.1 (Current) This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/ for details on patched vulnerabilities. * **build**: - Disable V8 snapshots - The hashseed embedded in the snapshot is currently the same for all runs of the binary. This opens node up to collision attacks which could result in a Denial of Service. We have temporarily disabled snapshots until a more robust solution is found (Ali Ijaz Sheikh) * **deps**: - CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. This patch checks that there is enough data for the required elements of an NAPTR record (2 int16, 3 bytes for string lengths) before processing a record. (David Drysdale) PR-URL: https://github.com/nodejs/node-private/pull/92 --- CHANGELOG.md | 3 ++- doc/changelogs/CHANGELOG_V7.md | 32 ++++++++++++++++++++++++++++++++ src/node_version.h | 2 +- 3 files changed, 35 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f18cc5b2c8f..cf0eb0c466e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,7 +28,8 @@ release. - 7.10.0
+ 7.10.1
+ 7.10.0
7.9.0
7.8.0
7.7.4
diff --git a/doc/changelogs/CHANGELOG_V7.md b/doc/changelogs/CHANGELOG_V7.md index cfe6976ea41..59325d60903 100644 --- a/doc/changelogs/CHANGELOG_V7.md +++ b/doc/changelogs/CHANGELOG_V7.md @@ -6,6 +6,7 @@ +7.10.1
7.10.0
7.9.0
7.8.0
@@ -35,6 +36,37 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + +## 2017-07-11, Version 7.10.1 (Current), @evanlucas + +This is a security release. All Node.js users should consult the +security release summary at +https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/ +for details on patched vulnerabilities. + +### Notable changes + +* **build**: + - Disable V8 snapshots - The hashseed embedded in the snapshot is + currently the same for all runs of the binary. This opens node up to +collision attacks which could result in a Denial of Service. We have +temporarily disabled snapshots until a more robust solution is found +(Ali Ijaz Sheikh) +* **deps**: + - CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), + which is used for parsing NAPTR responses, could be triggered to +read memory outside of the given input buffer if the passed in DNS +response packet was crafted in a particular way. This patch checks that +there is enough data for the required elements of an NAPTR record (2 +int16, 3 bytes for string lengths) before processing a record. (David +Drysdale) + +### Commits + +* [[`ff587deb54`](https://github.com/nodejs/node/commit/ff587deb54)] - **build**: disable V8 snapshots (Ali Ijaz Sheikh) [nodejs/node-private#84](https://github.com/nodejs/node-private/pull/84) +* [[`8a82960e76`](https://github.com/nodejs/node/commit/8a82960e76)] - **deps**: cherry-pick 9478908a49 from cares upstream (David Drysdale) [nodejs/node-private#88](https://github.com/nodejs/node-private/pull/88) +* [[`b5bf5e8086`](https://github.com/nodejs/node/commit/b5bf5e8086)] - **test**: verify hash seed uniqueness (Ali Ijaz Sheikh) [nodejs/node-private#84](https://github.com/nodejs/node-private/pull/84) + ## 2017-05-02, Version 7.10.0 (Current), @evanlucas diff --git a/src/node_version.h b/src/node_version.h index 0629b31063b..52f41ac00b3 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -5,7 +5,7 @@ #define NODE_MINOR_VERSION 10 #define NODE_PATCH_VERSION 1 -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n) -- cgit v1.2.3