</li>
<li><p>fs: 64bit offsets for fs calls (Igor Zinkovsky)</p>
</li>
-<li><p>fs: add sync open flags 'rs' and 'rs+' (Kevin Bowman)</p>
+<li><p>fs: add sync open flags 'rs' and 'rs+' (Kevin Bowman)</p>
</li>
<li><p>windows: enable creating directory junctions with fs.symlink (Igor Zinkovsky, Bert Belder)</p>
</li>
</li>
<li><p>tls: mitigate session renegotiation attacks (Ben Noordhuis)</p>
</li>
-<li><p>tcp, pipe: don't assert on uv_accept() errors (Ben Noordhuis)</p>
+<li><p>tcp, pipe: don't assert on uv_accept() errors (Ben Noordhuis)</p>
</li>
<li><p>tls: Allow establishing secure connection on the existing socket (koichik)</p>
</li>
</li>
<li><p>dtrace: add missing translator (Dave Pacheco)</p>
</li>
-<li><p>unix: don't flush tty on switch to raw mode (Ben Noordhuis)</p>
+<li><p>unix: don't flush tty on switch to raw mode (Ben Noordhuis)</p>
</li>
<li><p>windows: reset brightness when reverting to default text color (Bert Belder)</p>
</li>
<li><p>npm: update to 1.1.1</p>
-<p>- Update which, fstream, mkdirp, request, and rimraf<br>- Fix #2123 Set path properly for lifecycle scripts on windows<br>- Mark the root as seen, so we don't recurse into it. Fixes #1838. (Martin Cooper)</p>
+<p>- Update which, fstream, mkdirp, request, and rimraf<br>- Fix #2123 Set path properly for lifecycle scripts on windows<br>- Mark the root as seen, so we don't recurse into it. Fixes #1838. (Martin Cooper)</p>
</li>
</ul>
</li>
<li><p>#2827 net: fix race write() before and after connect() (koichik)</p>
</li>
-<li><p>#2554 #2567 throw if fs args for 'start' or 'end' are strings (AJ ONeal)</p>
+<li><p>#2554 #2567 throw if fs args for 'start' or 'end' are strings (AJ ONeal)</p>
</li>
<li><p>punycode: Update to v1.0.0 (Mathias Bynens)</p>
</li>
- install: support --save with url install targets<br>
- shrinkwrap: behave properly with url-installed modules<br>
- support installing uncompressed tars or single file modules from urls etc.<br>
-- don't run make clean on rebuild<br>
+- don't run make clean on rebuild<br>
- support HTTPS-over-HTTP proxy tunneling<br>
</p>
</li>
</p>
<ul>
-<li><p>net: don't crash when queued write fails (Igor Zinkovsky)</p>
+<li><p>net: don't crash when queued write fails (Igor Zinkovsky)</p>
</li>
<li><p>sunos: fix EMFILE on process.memoryUsage() (Bryan Cantrill)</p>
</li>
<p>
- upgrade node-gyp to 0.3.7<br>
- work around AV-locked directories on Windows<br>
-- Fix isaacs/npm#2293 Don't try to 'uninstall' /<br>
+- Fix isaacs/npm#2293 Don't try to 'uninstall' /<br>
- Exclude symbolic links from packages.<br>
-- Fix isaacs/npm#2275 Spurious 'unresolvable cycle' error.<br>
+- Fix isaacs/npm#2275 Spurious 'unresolvable cycle' error.<br>
- Exclude/include dot files as if they were normal files
</p>
</li>
</li>
<li><p>add 64bit offset fs functions (Igor Zinkovsky)</p>
</li>
-<li><p>windows: don't report ENOTSOCK when attempting to bind an udp handle twice (Bert Belder)</p>
+<li><p>windows: don't report ENOTSOCK when attempting to bind an udp handle twice (Bert Belder)</p>
</li>
<li><p>windows: backport pipe-connect-to-file fixes from master (Bert Belder)</p>
</li>
<li><p>windows: never call fs event callbacks after closing the watcher (Bert Belder)</p>
</li>
-<li><p>fs.readFile: don't make the callback before the fd is closed (Bert Belder)</p>
+<li><p>fs.readFile: don't make the callback before the fd is closed (Bert Belder)</p>
</li>
<li><p>windows: use 64bit offsets for uv_fs apis (Igor Zinkovsky)</p>
</li>
</li>
<li><p>http_parser: Eat CRLF between requests, even on connection:close. (Ben Noordhuis)</p>
</li>
-<li><p>don't check return value of unsetenv (Ben Noordhuis)</p>
+<li><p>don't check return value of unsetenv (Ben Noordhuis)</p>
</li>
</ul>
<p>Source Code: <a href="http://nodejs.org/dist/v0.6.16/node-v0.6.16.tar.gz">http://nodejs.org/dist/v0.6.16/node-v0.6.16.tar.gz</a>
</li>
<li><p>#3258: fs.ReadStream.pause() emits duplicate data event (koichik)</p>
</li>
-<li><p>pipe_wrap: don't assert() on pipe accept errors (Ben Noordhuis)</p>
+<li><p>pipe_wrap: don't assert() on pipe accept errors (Ben Noordhuis)</p>
</li>
<li><p>Better exception output for module load and process.nextTick (Felix Geisendörfer)</p>
</li>
<li><p>zlib: fix error reporting (Ben Noordhuis)</p>
</li>
-<li><p>http: Don't destroy on timeout (isaacs)</p>
+<li><p>http: Don't destroy on timeout (isaacs)</p>
</li>
-<li><p>#3231: http: Don't try to emit error on a null'ed req object (isaacs)</p>
+<li><p>#3231: http: Don't try to emit error on a null'ed req object (isaacs)</p>
</li>
<li><p>#3236: http: Refactor ClientRequest.onSocket (isaacs)</p>
</li>
</li>
<li><p>windows/msi: add start menu links when installing (Jeroen Janssen)</p>
</li>
-<li><p>windows: don't install x64 version into the 'program files (x86)' folder (Matt Gollob)</p>
+<li><p>windows: don't install x64 version into the 'program files (x86)' folder (Matt Gollob)</p>
</li>
<li><p>domain: Fix #3379 domain.intercept no longer passes error arg to cb (Marc Harter)</p>
</li>
</li>
<li><p>Fix #3425: removeAllListeners should delete array (Reid Burke)</p>
</li>
-<li><p>cluster: don't silently drop messages when the write queue gets big (Bert Belder)</p>
+<li><p>cluster: don't silently drop messages when the write queue gets big (Bert Belder)</p>
</li>
<li><p>Add Buffer.concat method (isaacs)</p>
</li>
</li>
<li><p>Windows: Enable ETW events on Windows for existing DTrace probes. (Igor Zinkovsky)</p>
</li>
-<li><p>test: bundle node-weak in test/gc so that it doesn't need to be downloaded (Nathan Rajlich)</p>
+<li><p>test: bundle node-weak in test/gc so that it doesn't need to be downloaded (Nathan Rajlich)</p>
</li>
<li><p>Make many tests pass on Windows (Bert Belder)</p>
</li>
<p>Please try out this release. There will be very virtually no changes between this and the v0.8.x release family. This is the last chance to comment before it is locked down for stability. The API is effectively frozen now. </p>
<p>This version adds backwards-compatible shims for binary addons that use libeio and libev directly. If you find that binary modules that could compile on v0.6 can not compile on this version, please let us know. Note that libev is officially deprecated in v0.8, and will be removed in v0.9. You should be porting your modules to use libuv as soon as possible. </p>
<p>V8 is on 3.11.10 currently, and will remain on the V8 3.11.x branch for the duration of Node v0.8.x. </p>
-<ul> <li><p>npm: Upgrade to 1.1.30<br> - Improved 'npm init'<br> - Fix the 'cb never called' error from 'oudated' and 'update'<br> - Add --save-bundle|-B config<br> - Fix isaacs/npm#2465: Make npm script and windows shims cygwin-aware<br> - Fix isaacs/npm#2452 Use --save(-dev|-optional) in npm rm<br> - <code>logstream</code> option to replace removed <code>logfd</code> (Rod Vagg)<br> - Read default descriptions from README.md files </p>
+<ul> <li><p>npm: Upgrade to 1.1.30<br> - Improved 'npm init'<br> - Fix the 'cb never called' error from 'oudated' and 'update'<br> - Add --save-bundle|-B config<br> - Fix isaacs/npm#2465: Make npm script and windows shims cygwin-aware<br> - Fix isaacs/npm#2452 Use --save(-dev|-optional) in npm rm<br> - <code>logstream</code> option to replace removed <code>logfd</code> (Rod Vagg)<br> - Read default descriptions from README.md files </p>
</li> <li><p>Shims to support deprecated <code>ev_*</code> and <code>eio_*</code> methods (Ben Noordhuis)</p>
</li> <li><p>#3118 net.Socket: Delay pause/resume until after connect (isaacs)</p>
</li> <li><p>#3465 Add ./configure --no-ifaddrs flag (isaacs)</p>
</li>
<li><p>build: Make a fat binary for the OS X <code>make pkg</code>. (Nathan Rajlich)</p>
</li>
-<li><p>jslint src/ and lib/ on 'make test' (isaacs)</p>
+<li><p>jslint src/ and lib/ on 'make test' (isaacs)</p>
</li>
</ul>
<p>Source Code: <a href="http://nodejs.org/dist/v0.7.5/node-v0.7.5.tar.gz">http://nodejs.org/dist/v0.7.5/node-v0.7.5.tar.gz</a>
- Handle cases where an optionalDependency fails to build<br>
</p>
</li>
-<li><p>events: newListener emit correct fn when using 'once' (Roly Fentanes)</p>
+<li><p>events: newListener emit correct fn when using 'once' (Roly Fentanes)</p>
</li>
<li><p>url: Ignore empty port component (Łukasz Walukiewicz)</p>
</li>
-<li><p>module: replace 'children' array (isaacs)</p>
+<li><p>module: replace 'children' array (isaacs)</p>
</li>
<li><p>tls: parse multiple values of a key in ssl certificate (Sambasiva Suda)</p>
</li>
</li>
<li><p>cluster: add graceful disconnect support (Andreas Madsen)</p>
</li>
-<li><p>child_process: Separate 'close' event from 'exit' (Charlie McConnell)</p>
+<li><p>child_process: Separate 'close' event from 'exit' (Charlie McConnell)</p>
</li>
<li><p>typed arrays: add Uint8ClampedArray (Mikael Bourges-Sevenier)</p>
</li>
</li>
<li><p>Expose http parse error codes (Felix Geisendörfer)</p>
</li>
-<li><p>events: don't delete the listeners array (Ben Noordhuis, Nathan Rajlich)</p>
+<li><p>events: don't delete the listeners array (Ben Noordhuis, Nathan Rajlich)</p>
</li>
-<li><p>process: add process.config to view node's ./configure settings (Nathan Rajlich)</p>
+<li><p>process: add process.config to view node's ./configure settings (Nathan Rajlich)</p>
</li>
-<li><p>process: process.execArgv to see node's arguments (Micheil Smith)</p>
+<li><p>process: process.execArgv to see node's arguments (Micheil Smith)</p>
</li>
<li><p>process: fix process.title setter (Ben Noordhuis)</p>
</li>
</li>
<li><p>typed arrays: unexport SizeOfArrayElementForType() (Aaron Jacobs)</p>
</li>
-<li><p>net: honor 'enable' flag in .setNoDelay() (Ben Noordhuis)</p>
+<li><p>net: honor 'enable' flag in .setNoDelay() (Ben Noordhuis)</p>
</li>
<li><p>child_process: emit error when .kill fails (Andreas Madsen)</p>
</li>
-<li><p>gyp: fix 'argument list too long' build error (Ben Noordhuis)</p>
+<li><p>gyp: fix 'argument list too long' build error (Ben Noordhuis)</p>
</li>
<li><p>fs.WriteStream: Handle modifications to fs.open (isaacs)</p>
</li>
<h2>Details</h2>
-<p>A few weeks ago, Matthew Daley found a security vulnerability in Node's HTTP implementation, and thankfully did the responsible thing and reported it to us via email. He explained it quite well, so I'll quote him here:</p>
+<p>A few weeks ago, Matthew Daley found a security vulnerability in Node's HTTP implementation, and thankfully did the responsible thing and reported it to us via email. He explained it quite well, so I'll quote him here:</p>
<blockquote>
-<p>There is a vulnerability in node's `http_parser` binding which allows information disclosure to a remote attacker:
+<p>There is a vulnerability in node's `http_parser` binding which allows information disclosure to a remote attacker:
</p>
<p>In node::StringPtr::Update, an attempt is made at an optimization on certain inputs (`node_http_parser.cc`, line 151). The intent is that if the current string pointer plus the current string size is equal to the incoming string pointer, the current string size is just increased to match, as the incoming string lies just beyond the current string pointer. However, the check to see whether or not this can be done is incorrect; "size" is used whereas "size_" should be used. Therefore, an attacker can call Update with a string of certain length and cause the current string to have other data appended to it. In the case of HTTP being parsed out of incoming socket data, this can be incoming data from other sockets.
</blockquote>
<p>The fix landed on <a href="https://github.com/joyent/node/commit/7b3fb22">7b3fb22</a> and <a href="https://github.com/joyent/node/commit/c9a231d">c9a231d</a>, for master and v0.6, respectively. The innocuous commit message does not give away the security implications, precisely because we wanted to get a fix out before making a big deal about it. </p>
<p>The first releases with the fix are v0.7.8 and 0.6.17. So now is a good time to make a big deal about it. </p>
-<p>If you are using node version 0.6 in production, please upgrade to at least <a href="http://blog.nodejs.org/2012/05/04/version-0-6-17-stable/">v0.6.17</a>, or at least apply the fix in <a href="https://github.com/joyent/node/commit/c9a231d">c9a231d</a> to your system. (Version 0.6.17 also fixes some other important bugs, and is without doubt the most stable release of Node 0.6 to date, so it's a good idea to upgrade anyway.) </p>
-<p>I'm extremely grateful that Matthew took the time to report the problem to us with such an elegant explanation, and in such a way that we had a reasonable amount of time to fix the issue before making it public. </p>
+<p>If you are using node version 0.6 in production, please upgrade to at least <a href="http://blog.nodejs.org/2012/05/04/version-0-6-17-stable/">v0.6.17</a>, or at least apply the fix in <a href="https://github.com/joyent/node/commit/c9a231d">c9a231d</a> to your system. (Version 0.6.17 also fixes some other important bugs, and is without doubt the most stable release of Node 0.6 to date, so it's a good idea to upgrade anyway.) </p>
+<p>I'm extremely grateful that Matthew took the time to report the problem to us with such an elegant explanation, and in such a way that we had a reasonable amount of time to fix the issue before making it public. </p>
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"')
- .replace(/'/g, ''');
+ .replace(/'/g, ''');
};
var mangle = function(text) {
projects / platform / upstream / nodejs.git / commitdiff