Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nodejs/node
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v6.16.0
Choose a base ref
...
head repository: nodejs/node
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v6.17.0
Choose a head ref
  • 13 commits
  • 54 files changed
  • 10 contributors

Commits on Dec 26, 2018

  1. Working on v6.16.1 

    PR-URL: #25178
    @MylesBorins
    MylesBorins committed Dec 26, 2018

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    MylesBorins Myles Borins
    GPG key ID: 933B01F40B5CA946
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    d82f8c4 View commit details

Commits on Feb 28, 2019

  1. http: destroy sockets after keepAliveTimeout 

    Implement server.keepAliveTimeout in addition to server.timeout to
prevent temporary socket/memory leaking in keep-alive mode.

PR-URL: #2534
Author: Timur Shemsedinov <timur.shemsedinov@gmail.com>
Author: Alexey Orlenko <eaglexrlnk@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
    @tshemsedinov @rvagg
    tshemsedinov authored and rvagg committed Feb 28, 2019
    Copy the full SHA
    f23b3b6 View commit details

  2. http: fix timeout reset after keep-alive timeout 

    Fix the logic of resetting the socket timeout of keep-alive HTTP
connections and add two tests:

* `test-http-server-keep-alive-timeout-slow-server` is a regression test
  for GH-13391.  It ensures that the server-side keep-alive timeout will
  not fire during processing of a request.

* `test-http-server-keep-alive-timeout-slow-client-headers` ensures that
  the regular socket timeout is restored as soon as a client starts
  sending a new request, not as soon as the whole message is received,
  so that the keep-alive timeout will not fire while, e.g., the client
  is sending large cookies.

Refs: #2534
Fixes: #13391
PR-URL: #13549
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
    @aqrln @rvagg
    aqrln authored and rvagg committed Feb 28, 2019

    Unverified

    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    Learn about vigilant mode
    Copy the full SHA
    e9ae4aa View commit details

  3. test: improve test-https-server-keep-alive-timeout 

    The test is flaky under load. These changes greatly improve reliability.

* Use a recurring interval to determine when the test should end rather
  than a timer.
* Increase server timeout to 500ms to allow for events being delayed by
  system load

Changing to an interval has the added benefit of reducing the test run
time from over 2 seconds to under 1 second.

Fixes: #13307

PR-URL: #13312
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Alexey Orlenko <eaglexrlnk@gmail.com>
    @Trott @rvagg
    Trott authored and rvagg committed Feb 28, 2019
    Copy the full SHA
    1c7fbdc View commit details

  4. test: refactor test-http-server-keep-alive-timeout 

    Make the same reliability changes that were applied to the https test in
ce5745b.

Refs: #13312
PR-URL: #13448
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Alexey Orlenko <eaglexrlnk@gmail.com>
    @realwakka @rvagg
    realwakka authored and rvagg committed Feb 28, 2019
    Copy the full SHA
    06a208d View commit details

  5. http: prevent slowloris with keepalive connections 

    Fixes: nodejs-private/security#214
PR-URL: nodejs-private/node-private#162
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
    @mcollina @rvagg
    mcollina authored and rvagg committed Feb 28, 2019
    Copy the full SHA
    b13b4a9 View commit details

  6. deps: upgrade openssl sources to 1.0.2r 

    This replaces all sources of openssl-1.0.2r.tar.gz into
deps/openssl/openssl
    @shigeki @rvagg
    shigeki authored and rvagg committed Feb 28, 2019
    Copy the full SHA
    da12284 View commit details

  7. deps: copy all openssl header files to include dir 

    All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
    @shigeki @rvagg
    shigeki authored and rvagg committed Feb 28, 2019
    Copy the full SHA
    661fd61 View commit details

  8. deps: fix openssl assembly error on ia32 win32 

    `x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .

Fixes: #589
PR-URL: #1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
    @indutny @rvagg
    indutny authored and rvagg committed Feb 28, 2019
    Copy the full SHA
    1d3c412 View commit details

  9. deps: fix asm build error of openssl in x86_win32 

    See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html

iojs needs to stop using masm and move to nasm or yasm on Win32.

Fixes: #589
PR-URL: #1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    @rvagg
    Shigeki Ohtsu authored and rvagg committed Feb 28, 2019
    Copy the full SHA
    a80ef49 View commit details

  10. openssl: fix keypress requirement in apps on win32 

    Reapply b910613 .

Fixes: #589
PR-URL: #1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    @rvagg
    Shigeki Ohtsu authored and rvagg committed Feb 28, 2019
    Copy the full SHA
    1908944 View commit details

  11. deps: add -no_rand_screen to openssl s_client 

    In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.

Fixes: #1461
PR-URL: #1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    @rvagg
    Shigeki Ohtsu authored and rvagg committed Feb 28, 2019
    Copy the full SHA
    b282c68 View commit details

  12. 2019-02-28, Version 6.17.0 'Boron' (LTS) 

    This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Denial of Service with keep-alive HTTP connections
    (CVE-2019-5739)
  * Node.js: Slowloris HTTP Denial of Service with keep-alive
    (CVE-2019-5737)
  * OpenSSL: 0-byte record padding oracle (CVE-2019-1559)

Notable Changes:

* deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
  CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
  certain circumstances, a TLS server can be forced to respond differently to
  a client if a zero-byte record is received with an invalid padding
  compared to a zero-byte record with an invalid MAC. This can be used as the
  basis of a padding oracle attack to decrypt data.
* http:
  - Backport `server.keepAliveTimeout` to prevent keep-alive HTTP and HTTPS
    connections remaining open and inactive for an extended period of time,
    leading to a potential Denial of Service (DoS).
    (CVE-2019-5739 / Timur Shemsedinov, Matteo Collina)
  - Further prevention of "Slowloris" attacks on HTTP and HTTPS
    connections by consistently applying the receive timeout set by
    `server.headersTimeout` to connections in keep-alive mode. Reported by
    Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)

PR-URL: nodejs-private/node-private#169
    @rvagg
    rvagg committed Feb 28, 2019
    Copy the full SHA
    e6a2530 View commit details
Showing with 969 additions and 1,545 deletions.
  1. +2 βˆ’1 CHANGELOG.md
  2. +27 βˆ’0 deps/openssl/openssl/CHANGES
  3. +2 βˆ’2 deps/openssl/openssl/Makefile
  4. +0 βˆ’692 deps/openssl/openssl/Makefile.bak
  5. +1 βˆ’1 deps/openssl/openssl/Makefile.org
  6. +4 βˆ’0 deps/openssl/openssl/NEWS
  7. +1 βˆ’1 deps/openssl/openssl/README
  8. +0 βˆ’188 deps/openssl/openssl/apps/CA.pl.bak
  9. +15 βˆ’12 deps/openssl/openssl/crypto/asn1/ameth_lib.c
  10. +9 βˆ’2 deps/openssl/openssl/crypto/bio/bss_file.c
  11. +3 βˆ’1 deps/openssl/openssl/crypto/bn/bn_ctx.c
  12. +3 βˆ’0 deps/openssl/openssl/crypto/bn/bn_lib.c
  13. +101 βˆ’0 deps/openssl/openssl/crypto/bn/bntest.c
  14. +6 βˆ’0 deps/openssl/openssl/crypto/constant_time_locl.h
  15. +1 βˆ’1 deps/openssl/openssl/crypto/ec/ec_ameth.c
  16. +1 βˆ’1 deps/openssl/openssl/crypto/err/Makefile
  17. +38 βˆ’0 deps/openssl/openssl/crypto/err/err.c
  18. +2 βˆ’0 deps/openssl/openssl/crypto/evp/evp.h
  19. +36 βˆ’4 deps/openssl/openssl/crypto/evp/evp_enc.c
  20. +3 βˆ’1 deps/openssl/openssl/crypto/evp/evp_err.c
  21. +2 βˆ’2 deps/openssl/openssl/crypto/evp/evp_test.c
  22. +0 βˆ’265 deps/openssl/openssl/crypto/opensslconf.h.bak
  23. +3 βˆ’3 deps/openssl/openssl/crypto/opensslv.h
  24. +4 βˆ’2 deps/openssl/openssl/crypto/rsa/Makefile
  25. +8 βˆ’7 deps/openssl/openssl/crypto/rsa/rsa_eay.c
  26. +56 βˆ’40 deps/openssl/openssl/crypto/rsa/rsa_oaep.c
  27. +52 βˆ’46 deps/openssl/openssl/crypto/rsa/rsa_pk1.c
  28. +97 βˆ’37 deps/openssl/openssl/crypto/rsa/rsa_ssl.c
  29. +1 βˆ’1 deps/openssl/openssl/doc/apps/ca.pod
  30. +2 βˆ’1 deps/openssl/openssl/doc/crypto/PKCS12_parse.pod
  31. +6 βˆ’1 deps/openssl/openssl/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
  32. +0 βˆ’3 deps/openssl/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
  33. +1 βˆ’1 deps/openssl/openssl/doc/{man3 β†’ crypto}/X509_cmp_time.pod
  34. +8 βˆ’5 deps/openssl/openssl/doc/ssl/SSL_get_error.pod
  35. +4 βˆ’0 deps/openssl/openssl/doc/ssl/SSL_shutdown.pod
  36. +2 βˆ’0 deps/openssl/openssl/include/openssl/evp.h
  37. +3 βˆ’3 deps/openssl/openssl/include/openssl/opensslv.h
  38. +1 βˆ’1 deps/openssl/openssl/openssl.spec
  39. +1 βˆ’0 deps/openssl/openssl/ssl/d1_pkt.c
  40. +7 βˆ’3 deps/openssl/openssl/ssl/s3_pkt.c
  41. +20 βˆ’0 deps/openssl/openssl/ssl/t1_lib.c
  42. +1 βˆ’0 deps/openssl/openssl/test/maketests.com
  43. +0 βˆ’209 deps/openssl/openssl/tools/c_rehash.bak
  44. +23 βˆ’6 doc/api/http.md
  45. +9 βˆ’0 doc/api/https.md
  46. +37 βˆ’0 doc/changelogs/CHANGELOG_V6.md
  47. +37 βˆ’0 lib/_http_server.js
  48. +1 βˆ’1 lib/https.js
  49. +1 βˆ’1 src/node_version.h
  50. +57 βˆ’0 test/parallel/test-http-server-keep-alive-timeout-slow-client-headers.js
  51. +50 βˆ’0 test/parallel/test-http-server-keep-alive-timeout-slow-server.js
  52. +77 βˆ’0 test/parallel/test-http-server-keep-alive-timeout.js
  53. +58 βˆ’0 test/parallel/test-http-slow-headers-keepalive.js
  54. +85 βˆ’0 test/parallel/test-https-server-keep-alive-timeout.js
3 changes: 2 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -26,7 +26,8 @@ release.
</tr>
<tr>
<td valign="top">
<b><a href="doc/changelogs/CHANGELOG_V6.md#6.16.0">6.16.0</a></b><br/>
<b><a href="doc/changelogs/CHANGELOG_V6.md#6.17.0">6.17.0</a></b><br/>
<a href="doc/changelogs/CHANGELOG_V6.md#6.16.0">6.16.0</a><br/>
<a href="doc/changelogs/CHANGELOG_V6.md#6.15.1">6.15.1</a><br/>
<a href="doc/changelogs/CHANGELOG_V6.md#6.15.0">6.15.0</a><br/>
<a href="doc/changelogs/CHANGELOG_V6.md#6.14.4">6.14.4</a><br/>
27 changes: 27 additions & 0 deletions deps/openssl/openssl/CHANGES
View file
Original file line number Diff line number Diff line change
@@ -7,6 +7,33 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.

Changes between 1.0.2q and 1.0.2r [26 Feb 2019]

*) 0-byte record padding oracle

If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one)
then OpenSSL can respond differently to the calling application if a 0 byte
record is received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves differently
based on that in a way that is detectable to the remote peer, then this
amounts to a padding oracle that could be used to decrypt data.

In order for this to be exploitable "non-stitched" ciphersuites must be in
use. Stitched ciphersuites are optimised implementations of certain
commonly used ciphersuites. Also the application must call SSL_shutdown()
twice even if a protocol error has occurred (applications should not do
this but some do anyway).

This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod
Aviram, with additional investigation by Steven Collison and Andrew
Hourselt. It was reported to OpenSSL on 10th December 2018.
(CVE-2019-1559)
[Matt Caswell]

*) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
[Richard Levitte]

Changes between 1.0.2p and 1.0.2q [20 Nov 2018]

*) Microarchitecture timing vulnerability in ECC scalar multiplication
4 changes: 2 additions & 2 deletions deps/openssl/openssl/Makefile
View file
Original file line number Diff line number Diff line change
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##

VERSION=1.0.2q
VERSION=1.0.2r
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
@@ -521,7 +521,7 @@ $(TARFILE).list:
find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
\! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \
\( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
\! -name '.#*' \! -name '*~' \! -type l \
\! -name '.#*' \! -name '*.bak' \! -name '*~' \! -type l \
| sort > $(TARFILE).list

tar: $(TARFILE).list
Loading