Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v15.14.0 proposal #38084

Merged
merged 41 commits into from
Apr 6, 2021
Merged

v15.14.0 proposal #38084

merged 41 commits into from
Apr 6, 2021

Conversation

MylesBorins
Copy link
Contributor

@MylesBorins MylesBorins commented Apr 4, 2021

2021-04-06, Version 15.14.0 (Current), @MylesBorins

This is a security release.

Notable Changes

Vulnerabilties Fixed:

  • CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
  • CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
  • CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
    • This is a vulnerability in the y18n NPM module which may be exploited by prototype pollution. You can read more about it in GHSA-c4w7-xm78-47vh
    • Impacts:
      • All versions of the 14.x, 12.x and 10.x releases lines

Other Notable Changes:

  • [b6f4901221] - (SEMVER-MINOR) fs: add support for async iterators to fsPromises.writeFile (HiroyukiYagihashi) #37490
  • [0709cbb7fe] - (SEMVER-MINOR) net: allow net.BlockList to use net.SocketAddress objects (James M Snell) #37917
  • [daa8a7bbcf] - (SEMVER-MINOR) net: add SocketAddress class (James M Snell) #37917
  • [a4169ce519] - (SEMVER-MINOR) net: make net.BlockList cloneable (James M Snell) #37917
  • [669b81c68b] - (SEMVER-MINOR) net,tls: add abort signal support to connect (Nitzan Uziely) #37735
  • [a1123f0a29] - (SEMVER-MINOR) readline: add AbortSignal support to interface (Nitzan Uziely) #37932

Commits

  • [ac69b95e47] - crypto: use correct webcrypto RSASSA-PKCS1-v1_5 algorithm name (Filip Skokan) #38029
  • [960c6be229] - crypto: add buffering to randomInt (Tobias Nießen) #35110
  • [4ef102d34e] - deps: update to cjs-module-lexer@1.1.1 (Guy Bedford) #37992
  • [f0e77149a4] - deps: update archs files for OpenSSL-1.1.1k (Hassaan Pasha) #37916
  • [bbdcdad2c6] - deps: upgrade openssl sources to 1.1.1k+quic (Hassaan Pasha) #37916
  • [913ec56798] - deps: cjs-module-lexer: cherry-pick 22093e765f (pezhmanparsaee) #37895
  • [afc6ab2122] - doc: fix asyncLocalStorage.run() description (Darkripper214) #38023
  • [b40d35d649] - doc: document how to unref stdin when using readline.Interface (Anu Pasumarthy) #38019
  • [ce14080473] - doc: move psmarshall to collaborators emeriti (Peter Marshall) #37994
  • [ae70aa3c63] - doc: add distinctive color for code elements inside links (Antoine du Hamel) #37950
  • [8792c7c96b] - doc: add missing events.on metadata (Anna Henningsen) #37965
  • [a57dc06adf] - doc: improve Buffer's encoding documentation (Michaël Zasso) #37945
  • [f3fabb57cf] - doc: add missing cleanup step in OpenSSL upgrade (Tobias Nießen) #37927
  • [13c3924af8] - doc: add Windows-specific info to subprocess.kill() (João Lucas Lucchetta) #34867
  • [b6f4901221] - (SEMVER-MINOR) fs: add support for async iterators to fsPromises.writeFile (HiroyukiYagihashi) #37490
  • [ad7e34446c] - fs: fix chown abort (Darshan Sen) #38004
  • [d86aca9a77] - http: optimize debug function correctly (Michaël Zasso) #37966
  • [062541aae5] - http2: add specific error code for custom frames (Anna Henningsen) #37936
  • [8525231902] - lib: change wording in lib/domain.js comment (Akhil Marsonya) #37933
  • [21e399be4c] - lib: change wording in lib/internal/child_process comment (Akhil Marsonya) #37903
  • [3ab9619e56] - module: improve error message for invalid data URL (Antoine du Hamel) #37701
  • [0709cbb7fe] - (SEMVER-MINOR) net: allow net.BlockList to use net.SocketAddress objects (James M Snell) #37917
  • [daa8a7bbcf] - (SEMVER-MINOR) net: add SocketAddress class (James M Snell) #37917
  • [a4169ce519] - (SEMVER-MINOR) net: make net.BlockList cloneable (James M Snell) #37917
  • [669b81c68b] - (SEMVER-MINOR) net,tls: add abort signal support to connect (Nitzan Uziely) #37735
  • [a94cc27cbe] - path: refactor to use more primordials (Akhil Marsonya) #37893
  • [6cc1e15669] - readline: fix pre-aborted signal question handling (Nitzan Uziely) #37929
  • [a1123f0a29] - (SEMVER-MINOR) readline: add AbortSignal support to interface (Nitzan Uziely) #37932
  • [629e72e9f4] - src: fix typo in node_mutex (Tobias Nießen) #38011
  • [e61cc0bfb0] - src: fix typos in crypto comments (Tobias Nießen) #38024
  • [6ad0b6f0f5] - src: fix error handling for CryptoJob::ToResult (Tobias Nießen) #37076
  • [3175559bed] - test: add extra space in test failure output (Qingyu Deng) #37957
  • [0243376cfc] - test: use faster variant for rss (Pooja D P) #36839
  • [b02c352ad6] - test: fix test-tls-no-sslv3 for OpenSSL 3 (Richard Lau) #38027
  • [0db1a1eacf] - test: deflake test-fs-read-optional-params (Luigi Pinca) #37991
  • [4d50975cd7] - test: improve clarity of ALS-enable-disable.js (Darkripper214) #38008
  • [5e15ae05d0] - test: add DataView test case for v8 serdes (Rich Trott) #37955
  • [6d28a24f1c] - tools: update ESLint to 7.23.0 (Luigi Pinca) #37979
  • [51e7a33d54] - tools,doc: add "legacy" badge in the TOC (Antoine du Hamel) #37949
  • [570fbcef93] - url: forbid pipe in URL host (Darshan Sen) #37877

peZhmanParsaee and others added 24 commits April 4, 2021 15:22
Original commit message:
	fix "the the" typo in README.md file

Refs: nodejs/cjs-module-lexer@22093e7

PR-URL: #37895
Reviewed-By: Pooja D P <Pooja.D.P@ibm.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
This completes code coverage for v8.js.

Refs: https://coverage.nodejs.org/coverage-290c158018ac0277/lib/v8.js.html#L240

PR-URL: #37955
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Fixes: #37862

PR-URL: #37877
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Clarify the inner workings of .kill on Windows,
since termination signals are not available there.

Fixes: #34858

PR-URL: #34867
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This updates all sources in deps/openssl/openssl by:
    $ git clone /~https://github.com/quictls/openssl
    $ cd openssl
    $ git checkout OpenSSL_1_1_1k+quic
    $ cd ../node/deps/openssl
    $ rm -rf openssl
    $ cp -R ../openssl openssl
    $ cd openssl && rm -rf .gitattributes .github/ .gitmodules .travis-apt-pin.preferences  .travis-create-release.sh
    $ cd ..
    $ git add --all openssl
    $ git commit openssl

PR-URL: #37916
Fixes: #37913
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
 After an OpenSSL source update, all the config files need to be
 regenerated and committed by:
    $ make -C deps/openssl/config
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl/include/crypto/bn_conf.h
    $ git add deps/openssl/openssl/include/crypto/dso_conf.h
    $ git add deps/openssl/openssl/include/openssl/opensslconf.h
    $ git commit

PR-URL: #37916
Fixes: #37913
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Refs: #37916

PR-URL: #37927
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
- Add a paragraph about case-insensitivity of encoding options.
- Document "utf-8", "utf-16le" and "ucs-2" aliases.
- Always use "utf8" in documentation for defaults and examples.

PR-URL: #37945
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Exporting a variable that will be mutated later doesn't work.

Refs: #37937

PR-URL: #37966
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: #37893
Reviewed-By: Pooja D P <Pooja.D.P@ibm.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Zijian Liu <lxxyxzj@gmail.com>
PR-URL: #37992
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
PR-URL: #37949
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
As suggested in
#37849 (comment)
improve the error presented when encountering a large number of
invalid frames by giving this situation a specific error code (which we
should have had from the beginning).

PR-URL: #37936
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
This was missed in the original PR.

Refs: #34912

PR-URL: #37965
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Add documentation for net.connect AbortSignal,
and add the support to tls.connect as well

PR-URL: #37735
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Add abort signal support to Interface

PR-URL: #37932
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
fix pre-aborted question handling

PR-URL: #37929
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Change the wording to make the language more Inclusive.

PR-URL: #37903
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Pooja D P <Pooja.D.P@ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Change the wording to make the language more Inclusive.

PR-URL: #37933
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: #37950
Reviewed-By: Pooja D P <Pooja.D.P@ibm.com>
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Signed-off-by: James M Snell <jasnell@gmail.com>

PR-URL: #37917
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Signed-off-by: James M Snell <jasnell@gmail.com>

PR-URL: #37917
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Signed-off-by: James M Snell <jasnell@gmail.com>

PR-URL: #37917
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
The last als.run() will reactivate the als,
hence the test should test for getting the object,
not undefined

PR-URL: #38008
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
@nodejs-github-bot nodejs-github-bot added doc Issues and PRs related to the documentations. meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. v15.x labels Apr 4, 2021
@MylesBorins MylesBorins changed the title V15.14.0 proposal v15.14.0 proposal Apr 4, 2021
panva and others added 4 commits April 5, 2021 12:57
PR-URL: #38029
Refs: https://www.w3.org/TR/WebCryptoAPI/#rsassa-pkcs1
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
PR-URL: #38024
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Fixes: #37391

PR-URL: #37490
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: #38011
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
MylesBorins added a commit that referenced this pull request Apr 5, 2021
Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

Other Notable changes:

fs:
  * (SEMVER-MINOR) add support for async iterators to `fsPromises.writeFile` (HiroyukiYagihashi) #37490
net:
  * (SEMVER-MINOR) allow net.BlockList to use net.SocketAddress objects (James M Snell) #37917
  * (SEMVER-MINOR) add SocketAddress class (James M Snell) #37917
  * (SEMVER-MINOR) make net.BlockList cloneable (James M Snell) #37917
net,tls:
  * (SEMVER-MINOR) add abort signal support to connect (Nitzan Uziely) #37735
readline:
  * (SEMVER-MINOR) add AbortSignal support to interface (Nitzan Uziely) #37932

PR-URL: #38084
@MylesBorins
Copy link
Contributor Author

updated with vulnerability notes

@Trott I've removed de67952 and it can be brought back in the next release with the perf fix.

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Apr 5, 2021

@bricss
Copy link

bricss commented Apr 6, 2021

Looks like #37747 ready to be pulled back in together with #38064 😀

MylesBorins added a commit that referenced this pull request Apr 6, 2021
Notable Changes:

This is a security release.

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

Other Notable changes:

fs:
  * (SEMVER-MINOR) add support for async iterators to `fsPromises.writeFile` (HiroyukiYagihashi) #37490
net:
  * (SEMVER-MINOR) allow net.BlockList to use net.SocketAddress objects (James M Snell) #37917
  * (SEMVER-MINOR) add SocketAddress class (James M Snell) #37917
  * (SEMVER-MINOR) make net.BlockList cloneable (James M Snell) #37917
net,tls:
  * (SEMVER-MINOR) add abort signal support to connect (Nitzan Uziely) #37735
readline:
  * (SEMVER-MINOR) add AbortSignal support to interface (Nitzan Uziely) #37932

PR-URL: #38084
Notable Changes:

This is a security release.

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

Other Notable changes:

fs:
  * (SEMVER-MINOR) add support for async iterators to `fsPromises.writeFile` (HiroyukiYagihashi) #37490
net:
  * (SEMVER-MINOR) allow net.BlockList to use net.SocketAddress objects (James M Snell) #37917
  * (SEMVER-MINOR) add SocketAddress class (James M Snell) #37917
  * (SEMVER-MINOR) make net.BlockList cloneable (James M Snell) #37917
net,tls:
  * (SEMVER-MINOR) add abort signal support to connect (Nitzan Uziely) #37735
readline:
  * (SEMVER-MINOR) add AbortSignal support to interface (Nitzan Uziely) #37932

PR-URL: #38084
@MylesBorins
Copy link
Contributor Author

@bricss I unfortunately don't have time to add them back and re run all the testing. it will have to wait for the next release

@MylesBorins MylesBorins merged commit 1a34e9c into v15.x Apr 6, 2021
MylesBorins added a commit that referenced this pull request Apr 6, 2021
MylesBorins added a commit that referenced this pull request Apr 6, 2021
Notable Changes:

This is a security release.

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

Other Notable changes:

fs:
  * (SEMVER-MINOR) add support for async iterators to `fsPromises.writeFile` (HiroyukiYagihashi) #37490
net:
  * (SEMVER-MINOR) allow net.BlockList to use net.SocketAddress objects (James M Snell) #37917
  * (SEMVER-MINOR) add SocketAddress class (James M Snell) #37917
  * (SEMVER-MINOR) make net.BlockList cloneable (James M Snell) #37917
net,tls:
  * (SEMVER-MINOR) add abort signal support to connect (Nitzan Uziely) #37735
readline:
  * (SEMVER-MINOR) add AbortSignal support to interface (Nitzan Uziely) #37932

PR-URL: #38084
@MylesBorins MylesBorins deleted the v15.14.0-proposal branch April 6, 2021 20:11
MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021
MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021
@targos targos added the release Issues and PRs related to Node.js releases. label Apr 11, 2021
richardlau added a commit to richardlau/nodejs.org that referenced this pull request Apr 12, 2021
Add links for Windows 64-bit Installer and Source Code.

Refs: nodejs/node#38084
richardlau added a commit to nodejs/nodejs.org that referenced this pull request Apr 12, 2021
Add links for Windows 64-bit Installer and Source Code.

Refs: nodejs/node#38084
@targos targos removed doc Issues and PRs related to the documentations. needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. meta Issues and PRs related to the general management of the project. labels Jun 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release Issues and PRs related to Node.js releases.
Projects
None yet
Development

Successfully merging this pull request may close these issues.