Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v4.8.7 proposal #17534

Merged
merged 8 commits into from
Dec 8, 2017
Merged

v4.8.7 proposal #17534

merged 8 commits into from
Dec 8, 2017

Conversation

MylesBorins
Copy link
Contributor

2017-12-08, Version 4.8.7 'Argon' (Maintenance), @MylesBorins

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

Notable Changes

  • deps:
    • openssl updated to 1.0.2n (Shigeki Ohtsu) #17526

Commits

shigeki and others added 7 commits December 7, 2017 13:26
This replaces all sources of openssl-1.0.2n.tar.gz into
deps/openssl/openssl

PR-URL: #17526
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Daniel Bevenius <[email protected]>
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #17526
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Daniel Bevenius <[email protected]>
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .

Fixes: #589
PR-URL: #1389
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html

iojs needs to stop using masm and move to nasm or yasm on Win32.

Fixes: #589
PR-URL: #1389
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reapply b910613 .

Fixes: #589
PR-URL: #1389
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.

Fixes: #1461
PR-URL: #1836
Reviewed-By: Ben Noordhuis <[email protected]>
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc
version was 5.4.0 and nasm version was 2.11.08.

Also asm files in asm_obsolete dir to support old compiler and
assembler are regenerated without CC and ASM envs.

PR-URL: #17526
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Daniel Bevenius <[email protected]>
@nodejs-github-bot nodejs-github-bot added meta Issues and PRs related to the general management of the project. openssl Issues and PRs related to the OpenSSL dependency. v4.x labels Dec 7, 2017
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17534
@MylesBorins
Copy link
Contributor Author

@MylesBorins
Copy link
Contributor Author

Seeing failures on linux linked... I'm not sure we've ever used that to test v4.x before. Here is a run on v4.8.6 for posterity

https://ci.nodejs.org/job/node-test-commit-linux-linked/679/

@MylesBorins
Copy link
Contributor Author

CI + CITGM look good. Failures are all infra related or expected (specifically the arm failures. I'll work on getting the CI up to date with flakes after this release and before EOL

@MylesBorins MylesBorins merged commit e6ea634 into v4.x Dec 8, 2017
MylesBorins added a commit that referenced this pull request Dec 8, 2017
MylesBorins added a commit that referenced this pull request Dec 8, 2017
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    #17526

PR-URL: #17534
@MylesBorins MylesBorins deleted the v4.8.7-proposal branch December 12, 2017 21:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
meta Issues and PRs related to the general management of the project. openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants