From 9214a4eaad21adf7e261b4a699d43f33b3eab137 Mon Sep 17 00:00:00 2001
From: Myles Borins <mylesborins@google.com>
Date: Thu, 7 Dec 2017 15:07:03 -0500
Subject: [PATCH] 2017-12-08, Version 8.9.3 'Carbon' (LTS)

This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2017-15896
* CVE-2017-15897
* CVE-2017-3738 (from the openssl project)

Notable Changes:

* buffer:
  * buffer allocated with an invalid content will now be zero filled
    (Anna Henningsen)
    https://github.com/nodejs/node/pull/17428
* deps:
  * openssl updated to 1.0.2n (Shigeki Ohtsu)
    https://github.com/nodejs/node/pull/17526

PR-URL: https://github.com/nodejs/node/pull/17532
---
 CHANGELOG.md                   |  3 ++-
 doc/api/buffer.md              |  2 +-
 doc/api/http2.md               | 16 ++++++-------
 doc/changelogs/CHANGELOG_V8.md | 41 ++++++++++++++++++++++++++++++++++
 src/node_version.h             |  2 +-
 5 files changed, 53 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 76d5b50a934dee..0065d339f07a21 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -27,7 +27,8 @@ release.
 </tr>
 <tr>
     <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V8.md#8.9.2">8.9.2</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V8.md#8.9.3">8.9.3</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V8.md#8.9.2">8.9.2</a><br/>
 <a href="doc/changelogs/CHANGELOG_V8.md#8.9.1">8.9.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V8.md#8.9.0">8.9.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V8.md#8.8.1">8.8.1</a><br/>
diff --git a/doc/api/buffer.md b/doc/api/buffer.md
index c9f975770bc6ae..4a54a25bfc990e 100644
--- a/doc/api/buffer.md
+++ b/doc/api/buffer.md
@@ -511,7 +511,7 @@ console.log(buf2.toString());
 <!-- YAML
 added: v5.10.0
 changes:
-  - version: REPLACEME
+  - version: v8.9.3
     pr-url: https://github.com/nodejs/node/pull/17428
     description: Specifying an invalid string for `fill` now results in a
                  zero-filled buffer.
diff --git a/doc/api/http2.md b/doc/api/http2.md
index 7ae796ec478d23..3e95ac2a699d98 100644
--- a/doc/api/http2.md
+++ b/doc/api/http2.md
@@ -344,7 +344,7 @@ frames have been acknowledged.
 
 #### http2session.ping([payload, ]callback)
 <!-- YAML
-added: REPLACEME
+added: v8.9.3
 -->
 
 * `payload` {Buffer|TypedArray|DataView} Optional ping payload.
@@ -1473,11 +1473,11 @@ not be emitted.
 <!-- YAML
 added: v8.4.0
 changes:
-  - version: REPLACEME
+  - version: v8.9.3
     pr-url: https://github.com/nodejs/node/pull/17105
     description: Added the `maxOutstandingPings` option with a default limit of
                  10.
-  - version: REPLACEME
+  - version: v8.9.3
     pr-url: https://github.com/nodejs/node/pull/16676
     description: Added the `maxHeaderListPairs` option with a default limit of
                  128 header pairs.
@@ -1541,11 +1541,11 @@ server.listen(80);
 <!-- YAML
 added: v8.4.0
 changes:
-  - version: REPLACEME
+  - version: v8.9.3
     pr-url: https://github.com/nodejs/node/pull/17105
     description: Added the `maxOutstandingPings` option with a default limit of
                  10.
-  - version: REPLACEME 
+  - version: v8.9.3
     pr-url: https://github.com/nodejs/node/pull/16676
     description: Added the `maxHeaderListPairs` option with a default limit of
                  128 header pairs.
@@ -1619,11 +1619,11 @@ server.listen(80);
 <!-- YAML
 added: v8.4.0
 changes:
-  - version: REPLACEME
+  - version: v8.9.3
     pr-url: https://github.com/nodejs/node/pull/17105
     description: Added the `maxOutstandingPings` option with a default limit of
                  10.
-  - version: REPLACEME
+  - version: v8.9.3
     pr-url: https://github.com/nodejs/node/pull/16676
     description: Added the `maxHeaderListPairs` option with a default limit of
                  128 header pairs.
@@ -1791,7 +1791,7 @@ server.on('stream', (stream, headers) => {
 <!-- YAML
 added: v8.4.0
 changes:
-  - version: REPLACEME
+  - version: v8.9.3
     pr-url: https://github.com/nodejs/node/pull/16676
     description: The `maxHeaderListSize` setting is now strictly enforced.
 -->
diff --git a/doc/changelogs/CHANGELOG_V8.md b/doc/changelogs/CHANGELOG_V8.md
index 4c4c0ae447f705..2a592e42a6a67d 100644
--- a/doc/changelogs/CHANGELOG_V8.md
+++ b/doc/changelogs/CHANGELOG_V8.md
@@ -7,6 +7,7 @@
 </tr>
 <tr>
 <td valign="top">
+<a href="#8.9.3">8.9.3</a><br/>
 <a href="#8.9.2">8.9.2</a><br/>
 <a href="#8.9.1">8.9.1</a><br/>
 <a href="#8.9.0">8.9.0</a><br/>
@@ -45,6 +46,46 @@
 [Node.js Long Term Support Plan](https://github.com/nodejs/LTS) and
 will be supported actively until April 2019 and maintained until December 2019.
 
+<a id="8.9.3"></a>
+## 2017-12-08, Version 8.9.3 'Carbon' (LTS), @MylesBorins
+
+This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ for details on patched vulnerabilities.
+
+Fixes for the following CVEs are included in this release:
+
+* CVE-2017-15896
+* CVE-2017-15897
+* CVE-2017-3738 (from the openssl project)
+
+### Notable Changes
+
+* **buffer**:
+  * buffer allocated with an invalid content will now be zero filled (Anna Henningsen) [#17428](https://github.com/nodejs/node/pull/17428)
+* **deps**:
+  * openssl updated to 1.0.2n (Shigeki Ohtsu) [#17526](https://github.com/nodejs/node/pull/17526)
+
+### Commits
+
+* [[`b05ef978d3`](https://github.com/nodejs/node/commit/b05ef978d3)] - **buffer**: zero-fill buffer allocated with invalid content (Anna Henningsen) [#17428](https://github.com/nodejs/node/pull/17428)
+* [[`18652b6860`](https://github.com/nodejs/node/commit/18652b6860)] - **deps**: update openssl asm and asm_obsolete files (Shigeki Ohtsu) [#17526](https://github.com/nodejs/node/pull/17526)
+* [[`e6c308e237`](https://github.com/nodejs/node/commit/e6c308e237)] - **deps**: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) [nodejs/io.js#1836](https://github.com/nodejs/io.js/pull/1836)
+* [[`a85f94bd59`](https://github.com/nodejs/node/commit/a85f94bd59)] - **deps**: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) [iojs/io.js#1389](https://github.com/iojs/io.js/pull/1389)
+* [[`b5552c854c`](https://github.com/nodejs/node/commit/b5552c854c)] - **deps**: fix openssl assembly error on ia32 win32 (Fedor Indutny) [iojs/io.js#1389](https://github.com/iojs/io.js/pull/1389)
+* [[`afad1f23a2`](https://github.com/nodejs/node/commit/afad1f23a2)] - **deps**: copy all openssl header files to include dir (Shigeki Ohtsu) [#17526](https://github.com/nodejs/node/pull/17526)
+* [[`9fdd3bddf5`](https://github.com/nodejs/node/commit/9fdd3bddf5)] - **deps**: upgrade openssl sources to 1.0.2n (Shigeki Ohtsu) [#17526](https://github.com/nodejs/node/pull/17526)
+* [[`db09f245bf`](https://github.com/nodejs/node/commit/db09f245bf)] - **doc**: warn against filling buffer with invalid data (Anna Henningsen) [#17428](https://github.com/nodejs/node/pull/17428)
+* [[`8979e0d761`](https://github.com/nodejs/node/commit/8979e0d761)] - **http2**: use 'close' event instead of 'streamClosed' (James M Snell) [#17328](https://github.com/nodejs/node/pull/17328)
+* [[`7ceccb1f2a`](https://github.com/nodejs/node/commit/7ceccb1f2a)] - **http2**: general cleanups in core.js (James M Snell) [#17209](https://github.com/nodejs/node/pull/17209)
+* [[`929f387cc8`](https://github.com/nodejs/node/commit/929f387cc8)] - **http2**: major update to internals (James M Snell) [#17105](https://github.com/nodejs/node/pull/17105)
+* [[`2b25ad1f9a`](https://github.com/nodejs/node/commit/2b25ad1f9a)] - **http2**: simplify subsequent rstStream calls (Anatoli Papirovski) [#16753](https://github.com/nodejs/node/pull/16753)
+* [[`ba127842c0`](https://github.com/nodejs/node/commit/ba127842c0)] - **http2**: refactor multiple internals (James M Snell) [#16676](https://github.com/nodejs/node/pull/16676)
+* [[`7e663d30c3`](https://github.com/nodejs/node/commit/7e663d30c3)] - **http2**: allocate on every chunk send (James M Snell) [#16669](https://github.com/nodejs/node/pull/16669)
+* [[`d607718448`](https://github.com/nodejs/node/commit/d607718448)] - **http2**: use correct connect event for TLS Socket (James M Snell) [#17328](https://github.com/nodejs/node/pull/17328)
+* [[`7d68488524`](https://github.com/nodejs/node/commit/7d68488524)] - **openssl**: fix keypress requirement in apps on win32 (Shigeki Ohtsu) [iojs/io.js#1389](https://github.com/iojs/io.js/pull/1389)
+* [[`73c2bb5a88`](https://github.com/nodejs/node/commit/73c2bb5a88)] - **src**: fix -Winconsistent-missing-override warning (Ben Noordhuis) [#16726](https://github.com/nodejs/node/pull/16726)
+* [[`8ffb24bcf9`](https://github.com/nodejs/node/commit/8ffb24bcf9)] - **src**: add method to compute storage in WriteWrap (Anna Henningsen) [#16727](https://github.com/nodejs/node/pull/16727)
+* [[`ab87282a84`](https://github.com/nodejs/node/commit/ab87282a84)] - **test**: fix flaky test-http2-create-client-connect (David Benjamin) [#16130](https://github.com/nodejs/node/pull/16130)
+
 <a id="8.9.2"></a>
 ## 2017-12-05, Version 8.9.2 'Carbon' (LTS), @gibfahn
 
diff --git a/src/node_version.h b/src/node_version.h
index f615681cc3bb09..e06cb2bced4031 100644
--- a/src/node_version.h
+++ b/src/node_version.h
@@ -29,7 +29,7 @@
 #define NODE_VERSION_IS_LTS 1
 #define NODE_VERSION_LTS_CODENAME "Carbon"
 
-#define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_RELEASE 1
 
 #ifndef NODE_STRINGIFY
 #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)