-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release proposal: v2.3.4 #2115
Release proposal: v2.3.4 #2115
Conversation
For reference, "high" is the highest severity level they report and is described as:
|
This is pretty awful :( |
I can work on it as soon as it is released on July 9th. It usually around 15:00 GMT for these days. |
@shigeki I can do it if the time is inconvenient for you. 15.00 GMT is in the afternoon for me and I assume an upgrade isn't any more complicated than applying the diff and maybe regenerating the assembly code. |
@bnoordhuis Thanks for your offer. I will give over to you if I cannot make it. But I have to stay up until release in order to update my servers as it fixes a high severity. In the next time of release if a low severity, I'm going to ask someone volunteer in colaborators to work on upgrading with me. |
The openssl-1.0.2d has just been released. The vulnerability of Alternative chains certificate forgery (CVE-2015-1793) affects tls.client connection so I update it right now. |
Converted to PR, PTAL. |
|
||
### Notable changes | ||
|
||
* **openssl**: Upgrade to 1.0.2d, fixes CVE-2015-1793 (Alternate Chains Certificate Forgery). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a PR for this now. #2141
The eagle, I mean #2141, has landed. |
@bnoordhuis ;-) 👍 |
0c2140d
to
be0e0ff
Compare
@Fishrock123 Is this CI run for cutting the release? |
Notable changes * openssl: Upgrade to 1.0.2d, fixes CVE-2015-1793 (Alternate Chains Certificate Forgery). * npm: Upgraded to v2.12.1, release notes can be found in https://github.com/npm/npm/releases/tag/v2.12.0 and https://github.com/npm/npm/releases/tag/v2.12.1 (Kat Marchán) nodejs#2112.
be0e0ff
to
1a340a8
Compare
@thefourtheye that is for testing, I'll start the build process soon. |
@Fishrock123 Okay, cool. 👍 I thought that the last CI run against the |
Release building off this branch for now: https://jenkins-iojs.nodesource.com/job/iojs+release/36/ |
Ah fudge I forgot to add PR-URL on the release commits, too late now. Release is up at https://iojs.org/dist/v2.3.4/ |
cc @nodejs/evangelism can I get retweets for https://twitter.com/Fishrock123/status/619249815029854208 and https://twitter.com/Fishrock123/status/619261517901344768? :D |
@Fishrock123 Done 👍 Actually, hash-tagging with io.js or nodejs reaches more eyes, I think. |
how can these openssl security update affecting node.js/iojs as other language are not updating (like Ruby/Java) ? |
@chetandhembre because node and iojs bundles openssl while the others you referred to aren't. |
@jbergstroem but why node.js/io.js bundle openssl ? any specific reason not to use os level openssl. |
@chetandhembre Because distro's often ship old versions that lack features we want. |
@bnoordhuis thanks !! |
@Fishrock123 did we get armv6 builds for this? |
Oh dang, let me do that right now. I got pretty carried away with Cascadia and didn't even really have my laptop out on friday. |
@rvagg done! :) (1.8.4 also) |
@Fishrock123 I dont see it built here https://jenkins-iojs.nodesource.com/job/iojs+release/36/. How is it actually done? |
@thefourtheye they are built from the pi1-raspbian-wheezy machine. |
@Fishrock123 Ah, thanks :-) |
There will be a "high" severity fix to OpenSSL this thursday. See https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html
We should probably look at having a release that day, if possible.
cc @shigeki / @indutny
0d15161c24
] - benchmark: Add some path benchmarks for path: refactor for performance and consistency #1778 (Nathan Woltman) #1778b18c841ec1
] - deps: make node-gyp work with io.js (cjihrig) iojs/io.js#990863cdbdd08
] - deps: upgrade to npm 2.12.1 (Kat Marchán) #211284b3915764
] - doc: document current release procedure (Rod Vagg) #209946140334cd
] - doc: update AUTHORS list (Rod Vagg) #2100bca53dce76
] - path: refactor for performance and consistency (Nathan Woltman) #17786bef15afe7
] - src: remove traceSyncIO property from process (Bradley Meck) #21432ba1740ba1
] - test: add missing crypto checks (Johan Bergström) #2129180fd392ca
] - test: refactor test-repl-tab-complete (Sakthipriyan Vairamani) #2122fb05c8e27d
] - _Revert_ "test: add test for missingclose
/finish
event" (Fedor Indutny)9436a860cb
] - test: add test for missingclose
/finish
event (Mark Plomer) iojs/io.js#1373ee3ce2ed88
] - tools: install gdbinit from v8 to $PREFIX/share (Ali Ijaz Sheikh) #2123dd523c75da
] - win,node-gyp: enable delay-load hook by default (Bert Belder) iojs/io.js#1433