-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release proposal: v3.3.2 (final io.js v3.x) #3465
Conversation
Changes to `stream_base.cc` are required to support empty writes. Fixes CVE-2015-7384, nodejs#3138 Fix: nodejs#2639 PR-URL: nodejs#3128
Account pending response data to decide whether pause the socket or not. Writable stream state is a not reliable measure, because it just says how much data is pending on a **current** request, thus not helping much with problem we are trying to solve here. PR-URL: nodejs#3128
Decrement `vcount` in `DoTryWrite` even if some of the buffers are empty. PR-URL: nodejs#3128
Notable changes * http: - Fix out-of-order 'finish' event bug in pipelining that can abort execution, fixes DoS vulnerability CVE-2015-7384 (Fedor Indutny) nodejs#3128 - Account for pending response data instead of just the data on the current request to decide whether pause the socket or not (Fedor Indutny) nodejs#3128
#2999 targets |
@indutny worth doing anything with #3549 for this? I was going to squeeze out v3.3.2 today but if a backport is possible & necessary for this then it'd be great. I just heard of a big name company that is locked in io.js v3 over the holiday season—which is a bad idea, but makes me think that there may be a few in a similar position. |
#3490 also has a |
@rvagg Should the notice about 3.x being unsupported from here on somehow be brought to an attention? I mean — 3.x won't receive furhter security updates, which makes staying on 3.x insecure (that applies to all unsupported branches, btw). You now have:
Even if this is kept changelog-only, could this be highlighted somehow and reworded to better motivate users to update? For example, state that 3.x is not supported anymore after the {release date} and won't receive security updates. |
Am I right that v3.3.2 is not going to happen? Close? EDIT: If this gets closed, #2999 can be closed as well. |
it's going to happen still, held off for now |
this ship has sailed, we announced this but it never happened, would be wrong to do it now as it sends the wrong message wrt support |
@rvagg The text on https://iojs.org/en/ should be changed now, i.e. «(except for critical security fixes)» removed. |
https://github.com/nodejs/iojs.org /cc @nodejs/website sorry, don't have time to tinker with this myself, the github webhook should still be in place for this. |
@ChALkeR @rvagg I just changed the text on the home page: nodejs/iojs.org@0c18d03 And it's online. |
💥 thanks @fhemberger! |
@fhemberger Thanks! |
This was promised during the same week as the security release v4.1.2 but never done. Only including those commits in this release for simplicity.
@indutny can you confirm I have the correct commits on this please? I'll release pretty quick and get this out of the way.