| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This is a special release that contains 0 commits. While promoting
additional platforms for v4.7.1 after the release, the tarballs on
the release server were overwritten and now have different shasums.
In order to remove any ambiguity around the release we have opted
to do a semver patch release with no changes.
|
|
Notable Changes
- build: shared library support is now working for AIX builds
- repl: Passing options to the repl will no longer overwrite
defaults
- timers: Re canceling a cancelled timers will no longer throw
|
|
The SEMVER-MINOR changes include:
- build: export openssl symbols on Windows making it possible to
build addons linking against the bundled version of openssl
- debugger: make listen address configurable in the debugger server
- dgram: generalized send queue to handle close fixing a potential
throw when dgram socket is closed in the listening event handler.
- http: Introduce the 451 status code "Unavailable For Legal Reasons"
- tls: introduce secureContext for tls.connect which is useful for
caching client certificates, key, and CA certificates.
Notable SEMVER-PATCH changes include:
build:
- introduce the configure --shared option for embedders
- gtest: the test reporter now outputs tap comments as yamlish
- src: node no longer aborts when c-ares initialization fails
- tls: fix memory leak when writing data to TLSWrap instance during
handshake
|
|
|
|
- build: It is now possible to build the documentation from the release
tarball
- buffer: Buffer.alloc() will no longer incorrectly return a zero filled
buffer when an encoding is passed
- deps: upgrade npm in LTS to 2.15.11
- repl: Enable tab completion for global properties
- url: url.format() will now encode all # in search
|
|
- c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more
information at https://c-ares.haxx.se/adv_20160929.html
|
|
- openssl: Remove support for loading dynamic third-party engine
modules. An attacker may be able to hide malicious code to be
inserted into Node.js at runtime by masquerading as one of the
dynamic engine modules.
- http: CVE-2016-5325 - Properly validate for allowable characters
in the reason argument in ServerResponse#writeHead().
- buffer: Zero-fill excess bytes in new Buffer objects created
with Buffer.concat() while providing a totalLength parameter
that exceeds the total length of the original Buffer objects
being concatenated.
- tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid
wildcard certificate for its hostname due to improper validation
of *. in the wildcard string.
|
|
Semver Minor:
buffer:
- backport new buffer constructor APIs to v4.x
- backport --zero-fill-buffers cli option
build:
- add Intel Vtune profiling support
repl:
- copying tabs shouldn't trigger completion
src:
- add node::FreeEnvironment public API
test:
- run v8 tests from node tree
V8:
- Add post mortem data to improve object inspection and function's
context variables inspection
Semver Patch:
buffer:
- ignore negative allocation lengths
crypto:
- update root certificates
libuv:
- upgrade libuv to 1.9.1
- upgrade libuv to 1.9.0
npm:
- upgrade to 2.15.9
|
|
Notable Changes
- debugger:
* All properties of an array (aside from length) can now be printed
in the repl
- npm:
* Upgrade npm to 2.15.8
- stream:
* Fix for a bug that became more prevalent with the stream changes
that landed in v4.4.5.
- V8:
* Fix for a bug in crankshaft that was causing crashes on arm64
* Add missing classes to postmortem info such as JSMap and JSSet
|
|
This release is specifically related to a Buffer overflow
vulnerability discovered in v8, see CVE-2016-1669
|
|
package by default. Expand existing patch to fix NetBSD 6 build.
Fixes PR pkg/51172.
Bump PKGREVISION for lang/nodejs and lang/nodejs4.
|
|
buffer:
- Buffer no longer errors if you call lastIndexOf with a search
term longer than the buffer
contextify:
- Context objects are now properly garbage collected, this solves
a problem some individuals were experiencing with extreme memory
growth
deps:
- update npm to 2.15.5
http:
- Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999
|
|
- update openssl to 1.0.2h. (n/a with dynamic OpenSSL)
|
|
- deps: Fix --gdbjit for embedders. Backported from v8 upstream.
- etw: Correctly display descriptors for ETW events 9 and 23 on
the windows platform.
- querystring: Restore throw when attempting to stringify bad
surrogate pair.
|
|
|
|
4.4.2
* https: Under certain conditions ssl sockets may have been
causing a memory leak when keepalive is enabled. This is no
longer the case.
* lib: The way that we were internally passing arguments was
causing a potential leak. By copying the arguments into an
array we can avoid this.
* npm: Upgrade to v2.15.1. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an
attacker to set up a server that could collect tokens from
users of the command-line interface. Authentication tokens
have previously been sent with every request made by the
CLI for logged-in users, regardless of the destination of
the request. This update fixes this by only including those
tokens for requests made against the registry or registries
used for the current install.
* repl: Previously if you were using the repl in strict mode
the column number would be wrong in a stack trace. This is
no longer an issue.
4.4.1
* build:
- Updated Logos for the OSX + Windows installers
- New option to select your VS Version in the Windows installer
- Support Visual C++ Build Tools 2015
* tools: Gyp now works on OSX without XCode
|
|
Notable changes
- deps: An update to v8 that introduces a new flag
--perf_basic_prof_only_functions
- http: A new feature in http(s) agent that catches errors on keep
alived connections
- src: Better support for Big-Endian systems
- tls: A new feature that allows you to pass common SSL options
to tls.createSecurePair
- tools: a new flag --prof-process which will execute the tick
processor on the provided isolate files
- build: Support python path that includes spaces. This should be
of particular interest to our Windows users who may have python
living in c:/Program Files
- https: A potential fix for #3692 HTTP/HTTPS client requests
throwing EPROTO
- installer: More readable profiling information from isolate
tick logs
- npm: upgrade to npm 2.14.20
- process: Add support for symbols in event emitters. Symbols
didn't exist when it was written
- querystring: querystring.parse() is now 13-22% faster!
- streams: performance improvements for moving small buffers that
shows a 5% throughput gain. IoT projects have been seen to be as
much as 10% faster with this change!
- tools: eslint has been updated to version 2.1.0
|
|
|
|
Irrelevant to (dynamically linked) lang/nodejs4:
* openssl: Upgrade from 1.0.2f to 1.0.2g
|
|
buffer
- make byteLength work with Buffer correctly (Jackson Tian)
debugger
- guard against call from non-node context (Ben Noordhuis)
- do not incept debug context (Myles Borins)
deps
- update to http-parser 2.5.2 (James Snell)
|
|
Note that this release includes a non-backward compatible change
to address a security issue. This change increases the version
of the LTS v4.x line to v4.3.0. There will be no further updates
to v4.2.x.
- http: fix defects in HTTP header parsing for requests and
responses that can allow request smuggling (CVE-2016-2086)
or response splitting (CVE-2016-2216). HTTP header parsing
now aligns more closely with the HTTP spec including
restricting the acceptable characters.
- http-parser: upgrade from 2.5.0 to 2.5.1
- openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against
the Logjam attack, TLS clients now reject Diffie-Hellman
handshakes with parameters shorter than 1024-bits, up from
the previous limit of 768-bits.
- introduce new --security-revert={cvenum} command line flag
for selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted
using --security-revert=CVE-2016-2216
|
|
- Fix regression in debugger and profiler functionality
|
|
* assert
- accommodate ES6 classes that extend Error (Rich Trott) #4166
* build
- add "--partly-static" build options (Super Zheng) #4152
* deps
- backport 066747e from upstream V8 (Ali Ijaz Sheikh) #4655
- backport 200315c from V8 upstream (Vladimir Kurchatkin) #4128
- upgrade libuv to 1.8.0 (Saúl Ibarra Corretgé)
* docs
- various updates landed in 70 different commits!
* repl
- attach location info to syntax errors (cjihrig) #4013
- display error message when loading directory (Prince J Wesley) #4170
* tests
- various updates landed in over 50 commits
* tools
- add tap output to cpplint (Johan Bergstrom) #3448
* util
- allow lookup of hidden values (cjihrig) #3988
|
|
- Roughly 78% of the commits are documentation and test improvements
- domains: ** Fix handling of uncaught exceptions (Julien Gilli) #3884
- deps: ** Upgrade to npm 2.14.12 (Kat Marchan) #4110 ** Backport
819b40a from V8 upstream (Michael Zasso) #3938 ** Updated node
LICENSE file with new npm license (Kat Marchan) #4110
|
|
Notable changes
- http: Fix a bug where an HTTP socket may no longer have a socket
but a pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
- openssl: Upgrade to 1.0.2e, containing fixes for:
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
an attack is considered feasible against a Node.js TLS server
using DHE key exchange. Details are available at
http://openssl.org/news/secadv/20151203.txt.
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
a potential denial-of-service vector for Node.js TLS servers; TLS
clients are also impacted. Details are available at
http://openssl.org/news/secadv/20151203.txt. (Shigeki Ohtsu) #4134
- v8: Backport fixes for a bug in JSON.stringify() that can result in
out-of-bounds reads for arrays. (Ben Noordhuis)
|
|
lang/nodejs.
This package holds the current 4.x LTS release.
For more on node.js LTS support, see here:
https://nodejs.org/en/blog/community/node-v5/
|
