Share

This week’s stable release fixes several regressions from v5.7.0, and also comes with a low-impact OpenSSL security upgrade.

We do not believe the issues from OpenSSL, as outlined in the Notable Changes below, are readily exploitable in Node.js.

Notably, CVE-2016-0800 (known as the DROWN Attack) does not effect Node.js v4 or v5, as we build without any support for SSLv2/3.

• Full Changelog
• Download

Overview

Of a total of 74 commits:

• 29 were documentation-only commits.
• 15 only modify tests and 3 only affect internal tooling.
• Upgraded openssl to 1.0.2g (up from 1.0.2h) #5507.

The remaining significant commits are as follows:

• [7cae774d9b] - benchmark: refactor to eliminate redeclared vars (Rich Trott) #5468
• [6aebe16669] - benchmark: add benchmark for buf.compare() (Rich Trott) #5441
• [00660f55c8] - benchmark: move string-decoder to its own category (Andreas Madsen) #5177
• [4650cb3818] - benchmark: fix configuation parameters (Andreas Madsen) #5177
• [3ccb275139] - benchmark: merge url.js with url-resolve.js (Andreas Madsen) #5177
• [c1e7dbffaa] - benchmark: move misc to categorized directories (Andreas Madsen) #5177
• [2f9fee6e8e] - benchmark: use strict mode (Rich Trott) #5336
• [4c09e7f359] - build: remove --quiet from eslint invocation (firedfox) #5519
• [2c619f2012] - build: run lint before tests (Rich Trott) #5470
• [f349a9a2cf] - build: update Node.js logo on OSX installer (Rod Vagg) #5401
• [88f393588a] - crypto: PBKDF2 works with int not ssize_t (Fedor Indutny) #5397
• [d3f9b84be8] - dgram: handle default address case when offset and length are specified (Matteo Collina)
• [d77c3bf204] - http_parser: use MakeCallback (Trevor Norris) #5419
• [e3421ac296] - lib: freelist: use .pop() for allocation (Anton Khlynovskiy) #2174
• [91d218d096] - path: fix path.relative() for prefixes at root (Owen Smith) #5490
• [ef7a088906] - path: fix win32 parse() (Zheng Chaoping) #5484
• [871396ce8f] - path: fix win32 relative() for UNC paths (Owen Smith) #5456
• [91782f1888] - path: fix win32 relative() when "to" is a prefix (Owen Smith) #5456
• [30cec18eeb] - path: fix verbose relative() output (Brian White) #5389
• [2b88523836] - repl: fix stack trace column number in strict mode (Prince J Wesley) #5416
• [51db48f741] - src,tools: remove null sentinel from source array (Ben Noordhuis) #5418
• [03a5daba55] - src,tools: drop nul byte from built-in source code (Ben Noordhuis) #5418
• [17d14f3346] - src,tools: allow utf-8 in built-in js source code (Ben Noordhuis) #5418
• [25c01cd779] - tls: fix assert in context.<i>external accessor (Ben Noordhuis) #5521
• [9424fa5732] - url: group slashed protocols by protocol name (nettofarah) #5380
• [dfe45f13e7] - url: fix off-by-one error with parse() (Brian White) #5394

Notable Changes

• governance: The Core Technical Committee (CTC) added four new members to help guide Node.js core development: Evan Lucas, Rich Trott, Ali Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda).
• openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) #5507.
  • Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at CVE-2016-0705.
  • Fix a defect that can cause memory corruption in certain very rare cases relating to the internal BN_hex2bn() and BN_dec2bn() functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely to be possible. More info is available at CVE-2016-0797.
  • Fix a defect that makes the CacheBleed Attack possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at CVE-2016-0702.
• Fixed several regressions that appeared in v5.7.0:
  • ](https://github.com/nodejs/node/pull/5456:
    • Output is no longer unnecessarily verbose (Brian White) #5389.
    • Resolving UNC paths on Windows now works correctly (Owen Smith) #5456.
    • Resolving paths with prefixes now works correctly from the root directory (Owen Smith) #5490.
  • url: Fixed an off-by-one error with parse() (Brian White) #5394.
  • dgram: Now correctly handles a default address case when offset and length are specified (Matteo Collina) #5407.

Git Diffstats

(Showing the delta between v5.7.0 and v5.7.1, ignoring deps/npm.)

Without deps, docs, benchmarks, or tests:

 .eslintrc                 |  5 ++-
 Makefile                  |  9 ++---
 lib/.eslintrc             |  3 ++
 lib/dgram.js              | 10 ++++--
 lib/internal/freelist.js  |  2 +-
 lib/path.js               | 70 +++++++++++++++++++++++++++---------
 lib/repl.js               |  6 +++-
 lib/url.js                | 10 +++---
 src/async-wrap.h          |  1 +
 src/node_crypto.cc        | 88 ++++++++++++++++++++++++---------------------
 src/node_http_parser.cc   | 27 +++++++++-----
 src/node_javascript.cc    | 24 ++++++-------
 src/node_version.h        |  2 +-
 tools/doc/addon-verify.js |  6 ++++
 tools/doc/html.js         | 32 +++++++++++++++++
 tools/js2c.py             | 33 +++--------------
 tools/test.py             | 11 +++++-
 vcbuild.bat               |  2 +-
 18 files changed, 218 insertions(+), 123 deletions(-)

Deps only:

   7.5% deps/openssl/asm/x64-elf-gas/aes/
   5.1% deps/openssl/asm/x64-elf-gas/bn/
   1.5% deps/openssl/asm/x64-elf-gas/ec/
   1.7% deps/openssl/asm/x64-elf-gas/modes/
  20.5% deps/openssl/asm/x64-elf-gas/sha/
   7.4% deps/openssl/asm/x64-macosx-gas/aes/
   5.1% deps/openssl/asm/x64-macosx-gas/bn/
   1.4% deps/openssl/asm/x64-macosx-gas/ec/
   1.7% deps/openssl/asm/x64-macosx-gas/modes/
  20.4% deps/openssl/asm/x64-macosx-gas/sha/
   2.6% deps/openssl/asm/x64-win32-masm/bn/
   3.7% deps/openssl/asm/x86-elf-gas/sha/
   3.6% deps/openssl/asm/x86-macosx-gas/sha/
   3.6% deps/openssl/asm/x86-win32-masm/sha/
   1.2% deps/openssl/asm_obsolete/x64-elf-gas/bn/
   0.9% deps/openssl/asm_obsolete/x64-elf-gas/
   1.2% deps/openssl/asm_obsolete/x64-macosx-gas/bn/
   0.9% deps/openssl/asm_obsolete/x64-macosx-gas/
   1.6% deps/openssl/asm_obsolete/x64-win32-masm/bn/
   2.9% deps/openssl/openssl/crypto/bn/asm/
   1.3% deps/openssl/openssl/crypto/
   0.7% deps/openssl/openssl/doc/ssl/
   0.8% deps/openssl/openssl/ssl/
   1.5% deps/openssl/openssl/
 173 files changed, 9866 insertions(+), 76198 deletions(-)

Docs only:

 CHANGELOG.md                           |  94 ++++++++++++
 README.md                              |  12 +-
 ROADMAP.md                             |   4 +-
 doc/api/addons.markdown                |  22 +--
 doc/api/assert.markdown                |   5 +-
 doc/api/buffer.markdown                |   7 +-
 doc/api/child_process.markdown         |   2 +-
 doc/api/cluster.markdown               |   3 +-
 doc/api/crypto.markdown                | 227 +++++++++++++++--------------
 doc/api/dgram.markdown                 |   2 +-
 doc/api/documentation.markdown         |  16 +++
 doc/api/fs.markdown                    |   9 ++
 doc/api/http.markdown                  |   4 +-
 doc/api/modules.markdown               |   6 +
 doc/api/net.markdown                   |  32 +++--
 doc/api/stream.markdown                |   4 +
 doc/api/tls.markdown                   |  16 +--
 doc/api/util.markdown                  |  51 +++++--
 doc/ctc-meetings/2016-02-17.md         | 240 +++++++++++++++++++++++++++++++
 doc/guides/building-node-with-ninja.md |  39 +++++
 doc/osx_installer_logo.png             | Bin 16640 -> 2521 bytes
 doc/releases.md                        |   2 +-
 tools/doc/README.md                    |  25 ----
 23 files changed, 625 insertions(+), 197 deletions(-)

Tests & Benchmarks only:

   0.0% benchmark/arrays/
   1.8% benchmark/assert/
   5.9% benchmark/buffers/
   2.5% benchmark/child_process/
   1.9% benchmark/crypto/
   0.2% benchmark/dgram/
   1.6% benchmark/domain/
   1.3% benchmark/events/
   0.5% benchmark/fs/
   2.0% benchmark/http/
   0.1% benchmark/misc/function_call/
  23.0% benchmark/misc/
   2.9% benchmark/module/
   0.8% benchmark/net/
   0.8% benchmark/path/
   6.9% benchmark/process/
   0.3% benchmark/querystring/
   3.6% benchmark/string_decoder/
   1.4% benchmark/timers/
   1.8% benchmark/tls/
   2.0% benchmark/url/
   0.2% benchmark/util/
  15.9% benchmark/
   0.4% test/internet/
  19.0% test/parallel/
   0.8% test/sequential/
   0.1% test/timers/
   1.0% test/
 148 files changed, 1027 insertions(+), 790 deletions(-)

Most active commit

Of the 74 commits, 1e86804 was the most active:
(Excluding docs, npm, eslint, and tests.)

commit 1e86804503ec7016b0b175a8f38e28e83830b2ed
Author: Ben Noordhuis <info@bnoordhuis.nl>
Date:   Tue Mar 1 14:03:58 2016 +0100

    deps: upgrade openssl to 1.0.2g

    PR-URL: https://github.com/nodejs/node/pull/5507
    Reviewed-By: Fedor Indutny <fedor@indutny.com>

   7.5% deps/openssl/asm/x64-elf-gas/aes/
   5.1% deps/openssl/asm/x64-elf-gas/bn/
  20.5% deps/openssl/asm/x64-elf-gas/sha/
   3.2% deps/openssl/asm/x64-elf-gas/
   7.4% deps/openssl/asm/x64-macosx-gas/aes/
   5.1% deps/openssl/asm/x64-macosx-gas/bn/
  20.4% deps/openssl/asm/x64-macosx-gas/sha/
   3.2% deps/openssl/asm/x64-macosx-gas/
   3.7% deps/openssl/asm/x86-elf-gas/sha/
   3.6% deps/openssl/asm/x86-macosx-gas/sha/
   3.6% deps/openssl/asm/x86-win32-masm/sha/
   5.9% deps/openssl/asm_obsolete/
   3.2% deps/openssl/openssl/crypto/bn/
   4.1% deps/openssl/openssl/
 173 files changed, 9866 insertions(+), 76198 deletions(-)

Do note that while we assess the security issues as being low-impact to Node.js, we still suggest you upgrade so as to avoid anything unforeseen.