-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release proposal: v5.7.1 #5464
Release proposal: v5.7.1 #5464
Conversation
dc229aa
to
a6f4bf9
Compare
CI with latest cherry-picks https://ci.nodejs.org/job/node-test-commit/2367/ |
I've added this PR to the milestone: #5484 |
Another potential path issue: #5485 |
One more off the list, and another added: #5490. |
Okay, all known path issues are handled. |
Here is
|
I've been avoiding semver-minor and the timers patch for this release, hence 5.7.1, so it's an easier (if just mental, but likely a little lower risk) upgrade for existing users. |
@Fishrock123 also, we didn't have anything ready last week and the path fixes couldn't really be rushed so I don't think there's a whole lot we could have changed. |
Pretty sure #5389 (comment) (the important patch) was. We should have just landed and released imo. My fault for forgetting about it on Thursday. :/ |
Pushed commits to |
fc9d191
to
5f882fa
Compare
5f882fa
to
db164cc
Compare
db164cc
to
079748e
Compare
Notable changes: * governance: The Core Technical Committee (CTC) added four new members to help guide Node.js core development: Evan Lucas, Rich Trott, Ali Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda). * openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) #5507 - Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0705 - Fix a defect that can cause memory corruption in certain very rare cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely_ to be possible. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0797 - Fix a defect that makes the CacheBleed Attack (https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0702 * Fixed several regressions that appeared in v5.7.0: - path.relative(): - Output is no longer unnecessarily verbose (Brian White) #5389 - Resolving UNC paths on Windows now works correctly (Owen Smith) #5456 - Resolving paths with prefixes now works correctly from the root directory (Owen Smith) #5490 - url: Fixed an off-by-one error with `parse()` (Brian White) #5394 - dgram: Now correctly handles a default address case when offset and length are specified (Matteo Collina) #5407 PR-URL: #5464
PR-URL: #5464
079748e
to
3643670
Compare
CITGM before merging https://ci.nodejs.org/job/thealphanerd-smoker/100/ |
Building @ https://ci.nodejs.org/job/iojs+release/435/ |
Notable changes: * governance: The Core Technical Committee (CTC) added four new members to help guide Node.js core development: Evan Lucas, Rich Trott, Ali Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda). * openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) nodejs#5507 - Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0705 - Fix a defect that can cause memory corruption in certain very rare cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely_ to be possible. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0797 - Fix a defect that makes the CacheBleed Attack (https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0702 * Fixed several regressions that appeared in v5.7.0: - path.relative(): - Output is no longer unnecessarily verbose (Brian White) nodejs#5389 - Resolving UNC paths on Windows now works correctly (Owen Smith) nodejs#5456 - Resolving paths with prefixes now works correctly from the root directory (Owen Smith) nodejs#5490 - url: Fixed an off-by-one error with `parse()` (Brian White) nodejs#5394 - dgram: Now correctly handles a default address case when offset and length are specified (Matteo Collina) nodejs#5407 PR-URL: nodejs#5464
|
||
### Notable changes | ||
|
||
* **governance**: The Core Technical Committee (CTC) added four new members to help guide Node.js core development: Evan Lucas, Rich Trott, Ali Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really odd in here. If you look at how this displays at https://nodejs.org/en/blog/ it seems like it is related to the Version 5.7.1 release.
Shouldn't this go in a "Weekly Update"?
Not much meat in here yet. The
path.relative()
,url.parse()
anddgram.send()
fixes have not landed yet but there are at least 4 commits queued up in the various pull requests, plus OpenSSL.Milestone @Fishrock123 put together for this is https://github.com/nodejs/node/milestones/5.7.1
We're probably going to have to hold this up until at least we have an OpenSSL risk assessment. Perhaps we can move forward without even needing to bother with an OpenSSL upgrade but more likely we'll include it anyway. Which means the release date will be the 2nd or 3rd, next week.
Will figure out if/how we coordinate across release lines ASAP.
This is all we have so far:
Notable changes