-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: upgrade to openssl 1.0.1q (v0.12) #4133
Conversation
Contains fixes for: * CVE-2015-3194 Certificate verify crash with missing PSS parameter * CVE-2015-3195 X509_ATTRIBUTE memory leak
LGTM if CI is happy. |
@bnoordhuis What to do for opensslconf.h change in openssl/openssl@98b9454 ? It is for sun and seems not be serious. But just confirmation. |
asm, header files and floating patches are fine. The remaining is only opensslconf.h |
I forgot to commit that. New CI with opensslconf.h fix-up: https://ci.nodejs.org/job/node-test-pull-request/911/ |
I think node is not vulnerable to X509_ATTRIBUTE memory leak (CVE-2015-3195) because PKCS7/CMS is not supported in Node. |
LGTM if CI is fine. |
Is the fix of character encoding also necessary for 1.0.2e? I never had a warning noise of character encoding while I'm working on it. |
@shigeki bnoordhuis/io.js@353c7f8 is what the diff looks like for 1.0.2e. |
There seems nothing to be changed in my branch with your commit. Why difference happened?
|
CI is fine. But this PR is against v0.12 not v0.12-staging. Which is a right branch to land? |
@shigeki land it in v0.12-staging, I'll pull from there. |
Okay, I will land this to v0.12-staging. |
Contains fixes for: * CVE-2015-3194 Certificate verify crash with missing PSS parameter * CVE-2015-3195 X509_ATTRIBUTE memory leak fixup! character encoding noise fixup! update opensslconf.h PR-URL: #4133 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Landed in 6ee1536 . Thanks. |
Security Update Notable items: * build: Add support for Microsoft Visual Studio 2015 * npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry (nodejs/Release#37). This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2. * openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133 PR-URL: nodejs-private/node-private#15
Security Update Notable items: * http: Fix a bug where an HTTP socket may no longer have a socket but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) * openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133 PR-URL: nodejs-private/node-private#13
Security Update Notable items: * build: Add support for Microsoft Visual Studio 2015 * npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry (nodejs/Release#37). This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2. * openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) nodejs#4133 PR-URL: nodejs-private/node-private#15
Security Update Notable items: * http: Fix a bug where an HTTP socket may no longer have a socket but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) * openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) nodejs#4133 PR-URL: nodejs-private/node-private#13
Security Update Notable items: * build: Add support for Microsoft Visual Studio 2015 * npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry (nodejs/Release#37). This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2. * openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133 PR-URL: nodejs-private/node-private#15
Security Update Notable items: * http: Fix a bug where an HTTP socket may no longer have a socket but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) * openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133 PR-URL: nodejs-private/node-private#13
Security Update Notable items: * build: Add support for Microsoft Visual Studio 2015 * npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry (nodejs/Release#37). This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2. * openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) nodejs#4133 PR-URL: nodejs-private/node-private#15
Security Update Notable items: * http: Fix a bug where an HTTP socket may no longer have a socket but a pipelined request triggers a pause or resume, a potential denial-of-service vector. (Fedor Indutny) * openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) nodejs#4133 PR-URL: nodejs-private/node-private#13
Contains fixes for: * CVE-2015-3194 Certificate verify crash with missing PSS parameter * CVE-2015-3195 X509_ATTRIBUTE memory leak fixup! character encoding noise fixup! update opensslconf.h PR-URL: nodejs/node#4133 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Contains fixes for:
(v0.12 is not affected by CVE-2015-3193 and CVE-2015-3196.)
OpenSSL did a character encoding fix-up that I've split off into a separate commit to keep down the noise in the main commit.
R=@nodejs/crypto
CI: https://ci.nodejs.org/job/node-test-pull-request/909/