Skip to content

Commit

Permalink
2015-12-04, Version 0.12.9 (Stable)
Browse files Browse the repository at this point in the history
Security Update

Notable items:

* http: Fix a bug where an HTTP socket may no longer have a socket but a
  pipelined request triggers a pause or resume, a potential
  denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194
  "Certificate verify crash with missing PSS parameter", a potential
  denial-of-service vector for Node.js TLS servers; TLS clients are also
  impacted. Details are available at
  <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133

PR-URL: nodejs-private/node-private#13
  • Loading branch information
rvagg committed Dec 5, 2015
1 parent 2c61b84 commit 07d8741
Showing 1 changed file with 14 additions and 0 deletions.
14 changes: 14 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,19 @@
# Node.js ChangeLog

## 2015-12-04, Version 0.12.9 (LTS), @rvagg

Security Update

### Notable changes

* http: Fix CVE-2015-8027, a bug whereby an HTTP socket may no longer have a parser associated with it but a pipelined request attempts to trigger a pause or resume on the non-existent parser, a potential denial-of-service vulnerability. (Fedor Indutny)
* openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers using client certificate authentication; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) https://github.com/nodejs/node/pull/4133

### Commits

* [8d24a14f2c] - deps: upgrade to openssl 1.0.1q (Ben Noordhuis) https://github.com/nodejs/node/pull/4133
* [dfc6f4a9af] - http: fix pipeline regression (Fedor Indutny)

## 2015-12-04, Version 0.10.41 (Maintenance), @rvagg

Security Update
Expand Down

0 comments on commit 07d8741

Please sign in to comment.