Release proposal: v3.3.2 (final io.js v3.x) #3465
Conversation
Changes to `stream_base.cc` are required to support empty writes. Fixes CVE-2015-7384, nodejs#3138 Fix: nodejs#2639 PR-URL: nodejs#3128
Account pending response data to decide whether pause the socket or not. Writable stream state is a not reliable measure, because it just says how much data is pending on a **current** request, thus not helping much with problem we are trying to solve here. PR-URL: nodejs#3128
Decrement `vcount` in `DoTryWrite` even if some of the buffers are empty. PR-URL: nodejs#3128
Notable changes
* http:
- Fix out-of-order 'finish' event bug in pipelining that can abort
execution, fixes DoS vulnerability CVE-2015-7384
(Fedor Indutny) nodejs#3128
- Account for pending response data instead of just the data on the
current request to decide whether pause the socket or not
(Fedor Indutny) nodejs#3128
mscdex
added
the
meta
|
#2999 targets |
|
@indutny worth doing anything with #3549 for this? I was going to squeeze out v3.3.2 today but if a backport is possible & necessary for this then it'd be great. I just heard of a big name company that is locked in io.js v3 over the holiday season—which is a bad idea, but makes me think that there may be a few in a similar position. |
|
#3490 also has a |
|
@rvagg Should the notice about 3.x being unsupported from here on somehow be brought to an attention? I mean — 3.x won't receive furhter security updates, which makes staying on 3.x insecure (that applies to all unsupported branches, btw). You now have:
Even if this is kept changelog-only, could this be highlighted somehow and reworded to better motivate users to update? For example, state that 3.x is not supported anymore after the {release date} and won't receive security updates. |
|
Am I right that v3.3.2 is not going to happen? Close? EDIT: If this gets closed, #2999 can be closed as well. |
|
it's going to happen still, held off for now |
|
this ship has sailed, we announced this but it never happened, would be wrong to do it now as it sends the wrong message wrt support |
|
@rvagg The text on https://iojs.org/en/ should be changed now, i.e. «(except for critical security fixes)» removed. |
|
https://github.com/nodejs/iojs.org /cc @nodejs/website sorry, don't have time to tinker with this myself, the github webhook should still be in place for this. |
|
@ChALkeR @rvagg I just changed the text on the home page: nodejs/iojs.org@0c18d03 And it's online. |
|
💥 thanks @fhemberger! |
|
@fhemberger Thanks! |
This was promised during the same week as the security release v4.1.2 but never done. Only including those commits in this release for simplicity.
@indutny can you confirm I have the correct commits on this please? I'll release pretty quick and get this out of the way.