Share

This week’s stable release fixes several regressions from v5.7.0, and also comes with a low-impact OpenSSL security upgrade.

We do not believe the issues from OpenSSL, as outlined in the Notable Changes below, are readily exploitable in Node.js.

Notably, CVE-2016-0800 (known as the DROWN Attack) does not effect Node.js v4 or v5, as we build without any support for SSLv2/3.

• Full Changelog
• Download

Overview

Of a total of 74 commits:

• 29 were documentation-only commits.
• 15 only modify tests and 3 only affect internal tooling.
• Upgraded openssl to 1.0.2g (up from 1.0.2h) #5507.

The remaining significant commits are as follows:

• [7cae774d9b] - benchmark: refactor to eliminate redeclared vars (Rich Trott) #5468
• [6aebe16669] - benchmark: add benchmark for buf.compare() (Rich Trott) #5441
• [00660f55c8] - benchmark: move string-decoder to its own category (Andreas Madsen) #5177
• [4650cb3818] - benchmark: fix configuation parameters (Andreas Madsen) #5177
• [3ccb275139] - benchmark: merge url.js with url-resolve.js (Andreas Madsen) #5177
• [c1e7dbffaa] - benchmark: move misc to categorized directories (Andreas Madsen) #5177
• [2f9fee6e8e] - benchmark: use strict mode (Rich Trott) #5336
• [4c09e7f359] - build: remove --quiet from eslint invocation (firedfox) #5519
• [2c619f2012] - build: run lint before tests (Rich Trott) #5470
• [f349a9a2cf] - build: update Node.js logo on OSX installer (Rod Vagg) #5401
• [88f393588a] - crypto: PBKDF2 works with int not ssize_t (Fedor Indutny) #5397
• [d3f9b84be8] - dgram: handle default address case when offset and length are specified (Matteo Collina)
• [d77c3bf204] - http_parser: use MakeCallback (Trevor Norris) #5419
• [e3421ac296] - lib: freelist: use .pop() for allocation (Anton Khlynovskiy) #2174
• [91d218d096] - path: fix path.relative() for prefixes at root (Owen Smith) #5490
• [ef7a088906] - path: fix win32 parse() (Zheng Chaoping) #5484
• [871396ce8f] - path: fix win32 relative() for UNC paths (Owen Smith) #5456
• [91782f1888] - path: fix win32 relative() when "to" is a prefix (Owen Smith) #5456
• [30cec18eeb] - path: fix verbose relative() output (Brian White) #5389
• [2b88523836] - repl: fix stack trace column number in strict mode (Prince J Wesley) #5416
• [51db48f741] - src,tools: remove null sentinel from source array (Ben Noordhuis) #5418
• [03a5daba55] - src,tools: drop nul byte from built-in source code (Ben Noordhuis) #5418
• [17d14f3346] - src,tools: allow utf-8 in built-in js source code (Ben Noordhuis) #5418
• [25c01cd779] - tls: fix assert in context._external accessor (Ben Noordhuis) #5521
• [9424fa5732] - url: group slashed protocols by protocol name (nettofarah) #5380
• [dfe45f13e7] - url: fix off-by-one error with parse() (Brian White) #5394

Notable Changes

• governance: The Core Technical Committee (CTC) added four new members to help guide Node.js core development: Evan Lucas, Rich Trott, Ali Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda).
• openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) #5507.
  • Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at CVE-2016-0705.
  • Fix a defect that can cause memory corruption in certain very rare cases relating to the internal BN_hex2bn() and BN_dec2bn() functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are unlikely to be possible. More info is available at CVE-2016-0797.
  • Fix a defect that makes the CacheBleed Attack possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at CVE-2016-0702.
• Fixed several regressions that appeared in v5.7.0:
  • path.relative():
    • Output is no longer unnecessarily verbose (Brian White) #5389.
    • Resolving UNC paths on Windows now works correctly (Owen Smith) #5456.
    • Resolving paths with prefixes now works correctly from the root directory (Owen Smith) #5490.
  • url: Fixed an off-by-one error with parse() (Brian White) #5394.
  • dgram: Now correctly handles a default address case when offset and length are specified (Matteo Collina) #5407.

Git Diffstats

(Showing the delta between v5.7.0 and v5.7.1, ignoring deps/npm.)

Without deps, docs, benchmarks, or tests:

 .eslintrc                 |  5 ++-
 Makefile                  |  9 ++---
 lib/.eslintrc             |  3 ++
 lib/dgram.js              | 10 ++++--
 lib/internal/freelist.js  |  2 +-
 lib/path.js               | 70 +++++++++++++++++++++++++++---------
 lib/repl.js               |  6 +++-
 lib/url.js                | 10 +++---
 src/async-wrap.h          |  1 +
 src/node_crypto.cc        | 88 ++++++++++++++++++++++++---------------------
 src/node_http_parser.cc   | 27 +++++++++-----
 src/node_javascript.cc    | 24 ++++++-------
 src/node_version.h        |  2 +-
 tools/doc/addon-verify.js |  6 ++++
 tools/doc/html.js         | 32 +++++++++++++++++
 tools/js2c.py             | 33 +++--------------
 tools/test.py             | 11 +++++-
 vcbuild.bat               |  2 +-
 18 files changed, 218 insertions(+), 123 deletions(-)

Deps only:

   7.5% deps/openssl/asm/x64-elf-gas/aes/
   5.1% deps/openssl/asm/x64-elf-gas/bn/
   1.5% deps/openssl/asm/x64-elf-gas/ec/
   1.7% deps/openssl/asm/x64-elf-gas/modes/
  20.5% deps/openssl/asm/x64-elf-gas/sha/
   7.4% deps/openssl/asm/x64-macosx-gas/aes/
   5.1% deps/openssl/asm/x64-macosx-gas/bn/
   1.4% deps/openssl/asm/x64-macosx-gas/ec/
   1.7% deps/openssl/asm/x64-macosx-gas/modes/
  20.4% deps/openssl/asm/x64-macosx-gas/sha/
   2.6% deps/openssl/asm/x64-win32-masm/bn/
   3.7% deps/openssl/asm/x86-elf-gas/sha/
   3.6% deps/openssl/asm/x86-macosx-gas/sha/
   3.6% deps/openssl/asm/x86-win32-masm/sha/
   1.2% deps/openssl/asm_obsolete/x64-elf-gas/bn/
   0.9% deps/openssl/asm_obsolete/x64-elf-gas/
   1.2% deps/openssl/asm_obsolete/x64-macosx-gas/bn/
   0.9% deps/openssl/asm_obsolete/x64-macosx-gas/
   1.6% deps/openssl/asm_obsolete/x64-win32-masm/bn/
   2.9% deps/openssl/openssl/crypto/bn/asm/
   1.3% deps/openssl/openssl/crypto/
   0.7% deps/openssl/openssl/doc/ssl/
   0.8% deps/openssl/openssl/ssl/
   1.5% deps/openssl/openssl/
 173 files changed, 9866 insertions(+), 76198 deletions(-)

Docs only:

 CHANGELOG.md                           |  94 ++++++++++++
 README.md                              |  12 +-
 ROADMAP.md                             |   4 +-
 doc/api/addons.markdown                |  22 +--
 doc/api/assert.markdown                |   5 +-
 doc/api/buffer.markdown                |   7 +-
 doc/api/child_process.markdown         |   2 +-
 doc/api/cluster.markdown               |   3 +-
 doc/api/crypto.markdown                | 227 +++++++++++++++--------------
 doc/api/dgram.markdown                 |   2 +-
 doc/api/documentation.markdown         |  16 +++
 doc/api/fs.markdown                    |   9 ++
 doc/api/http.markdown                  |   4 +-
 doc/api/modules.markdown               |   6 +
 doc/api/net.markdown                   |  32 +++--
 doc/api/stream.markdown                |   4 +
 doc/api/tls.markdown                   |  16 +--
 doc/api/util.markdown                  |  51 +++++--
 doc/ctc-meetings/2016-02-17.md         | 240 +++++++++++++++++++++++++++++++
 doc/guides/building-node-with-ninja.md |  39 +++++
 doc/osx_installer_logo.png             | Bin 16640 -> 2521 bytes
 doc/releases.md                        |   2 +-
 tools/doc/README.md                    |  25 ----
 23 files changed, 625 insertions(+), 197 deletions(-)

Tests & Benchmarks only:

   0.0% benchmark/arrays/
   1.8% benchmark/assert/
   5.9% benchmark/buffers/
   2.5% benchmark/child_process/
   1.9% benchmark/crypto/
   0.2% benchmark/dgram/
   1.6% benchmark/domain/
   1.3% benchmark/events/
   0.5% benchmark/fs/
   2.0% benchmark/http/
   0.1% benchmark/misc/function_call/
  23.0% benchmark/misc/
   2.9% benchmark/module/
   0.8% benchmark/net/
   0.8% benchmark/path/
   6.9% benchmark/process/
   0.3% benchmark/querystring/
   3.6% benchmark/string_decoder/
   1.4% benchmark/timers/
   1.8% benchmark/tls/
   2.0% benchmark/url/
   0.2% benchmark/util/
  15.9% benchmark/
   0.4% test/internet/
  19.0% test/parallel/
   0.8% test/sequential/
   0.1% test/timers/
   1.0% test/
 148 files changed, 1027 insertions(+), 790 deletions(-)

Most active commit

Of the 74 commits, 1e86804 was the most active: (Excluding docs, npm, eslint, and tests.)

commit 1e86804503ec7016b0b175a8f38e28e83830b2ed
Author: Ben Noordhuis <info@bnoordhuis.nl>
Date:   Tue Mar 1 14:03:58 2016 +0100

    deps: upgrade openssl to 1.0.2g
    
    PR-URL: https://github.com/nodejs/node/pull/5507
    Reviewed-By: Fedor Indutny <fedor@indutny.com>

   7.5% deps/openssl/asm/x64-elf-gas/aes/
   5.1% deps/openssl/asm/x64-elf-gas/bn/
  20.5% deps/openssl/asm/x64-elf-gas/sha/
   3.2% deps/openssl/asm/x64-elf-gas/
   7.4% deps/openssl/asm/x64-macosx-gas/aes/
   5.1% deps/openssl/asm/x64-macosx-gas/bn/
  20.4% deps/openssl/asm/x64-macosx-gas/sha/
   3.2% deps/openssl/asm/x64-macosx-gas/
   3.7% deps/openssl/asm/x86-elf-gas/sha/
   3.6% deps/openssl/asm/x86-macosx-gas/sha/
   3.6% deps/openssl/asm/x86-win32-masm/sha/
   5.9% deps/openssl/asm_obsolete/
   3.2% deps/openssl/openssl/crypto/bn/
   4.1% deps/openssl/openssl/
 173 files changed, 9866 insertions(+), 76198 deletions(-)

Do note that while we assess the security issues as being low-impact to Node.js, we still suggest you upgrade so as to avoid anything unforeseen.