Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v4.8.6 proposal #16500

Merged
merged 48 commits into from
Nov 7, 2017
Merged

v4.8.6 proposal #16500

merged 48 commits into from
Nov 7, 2017

Conversation

MylesBorins
Copy link
Contributor

@MylesBorins MylesBorins commented Oct 25, 2017

2017-11-07, Version 4.8.6 'Argon' (Maintenance), @MylesBorins

This Maintenance release comes with 47 commits. This includes 26 commits which are updates to dependencies,
8 which are build / tool related, 4 which are doc related, and 2 which are test related.

This release includes a security update to openssl that has been deemed low severity for the Node.js project.

Notable Changes

  • crypto:
    • update root certificates (Ben Noordhuis) #13279
    • update root certificates (Ben Noordhuis) #12402
  • deps:
    • add support for more modern versions of INTL (Bruno Pagani) #13040
    • upgrade openssl sources to 1.0.2m (Shigeki Ohtsu) #16691
    • upgrade openssl sources to 1.0.2l (Daniel Bevenius) #13233

Commits

ArchangeGabriel and others added 30 commits October 25, 2017 04:22
* The following function from <unicode/normlzr.h> is used:
     normalize()

* Until ICU 59, <unicode/normlzr.h> is indirectly included, but this changed with the 59 release. Adding this header has been the right thing to do for many years, so it is backwards compatible and fix compilation with recent ICU.

Refs: #13022
PR-URL: #13040
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
This fixes wrong hash results on Windows with some CPUs that support
Intel SHA Extension and resolves the issue of TLS connection errors.

After upgrading forthcoming openssl-1.0.2l, this is no nolonger needed.

  Original commit message:

    perlasm/x86_64-xlate.pl: work around problem with hex constants in masm.

    Perl, multiple versions, for some reason occasionally takes issue with
    letter b[?] in ox([0-9a-f]+) regex. As result some constants, such as
    0xb1 came out wrong when generating code for MASM. Fixes GH#3241.

    Reviewed-by: Rich Salz <rsalz@openssl.org>
    (Merged from openssl/openssl#3385)

    (cherry picked from commit c47aea8af1e28e46e1ad5e2e7468b49fec3f4f29)

Refs: openssl/openssl#3241
Refs: openssl/openssl#3385
Fixes: #12691
PR-URL: #12913
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Regenerate asm files according to the fix of
openssl/crypto/perlasm/x86_64-xlate.pl.

Fixes: #12691
PR-URL: #12913
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
HGlobalValueNumberingPhase::CollectSideEffectsOnPathsToDominatedBlock()
used to self-recurse before this commit, causing stack overflows on
systems with small stack sizes.  Make it non-recursive by storing
intermediate results in a heap-allocated list.

Fixes: #11991
Backport-PR-URL: #13080
PR-URL: #12460
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yang Guo <yangguo@chromium.org>
Functions that call `ECDH::BufferToPoint` were not clearing the
error stack on failure, so an invalid key could leave leftover
error state and cause subsequent (unrelated) signing operations
to fail.

PR-URL: #13275
Backport-PR-URL: #13399
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Fixes: #12833
PR-URL: #12957
Reviewed-By: João Reis <reis@janeasystems.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <mhdawson@ibm.com>
gpg 2.1 no longer includes the key-id by default which breaks
the release script. This makes sure we are explicit about it.

PR-URL: #13309
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Backport-PR-URL: #14635
PR-URL: #14578
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Backport-PR-URL: #14635
PR-URL: #14578
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Allow passing the prefix in via the PKGDIR env var. This will allow us
to use this same script to codesign the binary tarball.

PR-URL: #14179
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg,
but not the binary released in the tarball.

PR-URL: #14179
Fixes: #11936
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Original commit message:

    ares_parse_naptr_reply: make buffer length check more accurate

    9478908a490a6bf009ba58d81de8c1d06d50a117 introduced a length check
    for records parsed by `ares_parse_naptr_reply()`. However, that
    function is designed to parse replies which also contain non-NAPTR
    records; for A records, the `rr_len > 7` check will fail as there
    are only 4 bytes of payload.
    In particular, parsing ANY replies for NAPTR records was broken
    by that patch.

    Fix that by moving the check into the case in which it is already
    known that the record is a NAPTR record.

Ref: c-ares/c-ares@18ea996
PR-URL: #13883
Reviewed-By: James M Snell <jasnell@gmail.com>
This is the certdata.txt[0] that ships in NSS 3.28.1, released on
2017-01-04.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_28_1_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- AC RAIZ FNMT-RCM
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Certplus Root CA G1
- Certplus Root CA G2
- Hellenic Academic and Research Institutions ECC RootCA 2015
- Hellenic Academic and Research Institutions RootCA 2015
- ISRG Root X1
- LuxTrust Global Root 2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3

Certificates removed:
- Buypass Class 2 CA 1
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- IGC/A
- Juur-SK
- RSA Security 2048 v3
- Root CA Generalitat Valenciana

PR-URL: #12402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
This is the certdata.txt[0] that ships in NSS 3.30.2, released on
2017-04-20.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_30_2_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

Certificates removed:
- ApplicationCA - Japanese Government
- Microsec e-Szigno Root CA
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- WellsSecure Public Root Certificate Authority

PR-URL: #13279
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This reverts commit 2d07fd7, with the
exception of the `V8_PATCH_LEVEL` which will continue to increase.

This commit was intended to be a backport of v8's e093a04 and 09db540,
but it failed to consider the reversion of e093a04 in 5f5a328.

PR-URL: #14829
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Original commit messages:
v8/v8@09db540
  Reland of Rehash and clear deleted entries in weak collections during GC

  BUG=v8:4909
  R=hpayer@chromium.org,ulan@chromium.org
  LOG=n

  Review URL: https://codereview.chromium.org/1890123002

  Cr-Commit-Position: refs/heads/master@{#35538}

v8/v8@686558d
  Fix comment about when we rehash ObjectHashTables before growing them

  R=ulan@chromium.org
  BUG=

  Review-Url: https://codereview.chromium.org/1918403003
  Cr-Commit-Position: refs/heads/master@{#35853}

Refs: https://crbug.com/v8/4909
Refs: #6180
Refs: #7689
Refs: #6398
Fixes: #14228

PR-URL: #14829
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
When upgrading OpenSSL, Step 6 in upgrading guide explains the steps
that need to be taken if asm files need updating. This might not
always be the case and something that needs to be checked from
release to release.

This commit adds an example of using github to manually compare two tags
to see if any changes were made to asm files.

Backport-PR-URL: #13696
PR-URL: #13234
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
This replaces all sources of openssl-1.0.2l.tar.gz into
deps/openssl/openssl

Fixes: #13161
Backport-PR-URL: #13696
PR-URL: #13233
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
All symlink files in deps/openssl/openssl/include/openssl/ are removed
and replaced with real header files to avoid issues on Windows. Two
files of opensslconf.h in crypto and include dir are replaced to refer
config/opensslconf.h.

Fixes: #13161
Backport-PR-URL: #13696
PR-URL: #13233
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .

Fixes: #589
Backport-PR-URL: #13696
PR-URL: #1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html

iojs needs to stop using masm and move to nasm or yasm on Win32.

Fixes: #589
Backport-PR-URL: #13696
PR-URL: #1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reapply b910613 .

Fixes: #589
Backport-PR-URL: #13696
PR-URL: #1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.

Fixes: #1461
Backport-PR-URL: #13696
PR-URL: #1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Regenerate config files for supported platforms with Makefile.

Fixes: #13161
Backport-PR-URL: #13696
PR-URL: #13233
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc
version was 5.4.0 and nasm version was 2.11.08.

Also asm files in asm_obsolete dir to support old compiler and
assembler are regenerated without CC and ASM envs.

Fixes: #13161
Backport-PR-URL: #13696
PR-URL: #13233
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Added the missing make command in steps 6.3 when building
asm_obsolete.

Also updated the commit message to include the version nasm in
addition to the gcc version.

Fixes: #13161
Backport-PR-URL: #13696
PR-URL: #13233
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This is a partial backport of semver-patch bits of
9e4660b.

This commit fixes the Node process crashing when constructors of classes
of the zlib module are given invalid options.

* Throw an Error when the zlib library rejects the value of windowBits,
  instead of crashing with an assertion.

* Treat windowBits and memLevel options consistently with other ones and
  don't crash when non-numeric values are given.

Backport-PR-URL: #14860
PR-URL: #13098
Fixes: #13082
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Unset `mode_` when initializing the zlib stream failed, so that
we don’t try to call the zlib end functions (`deflateEnd()` etc.)
when cleaning up in `ZCtx::Close()`.

Fixes: #14178
Ref: #13098
Backport-PR-URL: #14860
PR-URL: #14666
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Alexey Orlenko <eaglexrlnk@gmail.com>
@nodejs-github-bot nodejs-github-bot added build Issues and PRs related to build files or the CI. cares Issues and PRs related to the c-ares dependency or the cares_wrap binding. meta Issues and PRs related to the general management of the project. openssl Issues and PRs related to the OpenSSL dependency. v4.x labels Oct 25, 2017
@MylesBorins
Copy link
Contributor Author

MylesBorins commented Oct 25, 2017

gibfahn and others added 8 commits November 2, 2017 17:51
Backport-PR-URL: #16550
PR-URL: #7947
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
This replaces all sources of openssl-1.0.2m.tar.gz into
deps/openssl/openssl

PR-URL: #16691
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: #16691
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .

Fixes: #589
PR-URL: #1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html

iojs needs to stop using masm and move to nasm or yasm on Win32.

Fixes: #589
PR-URL: #1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reapply b910613 .

Fixes: #589
PR-URL: #1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.

Fixes: #1461
PR-URL: #1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Regenerate asm files with Makefile and CC=gcc and ASM=nasm where gcc
version was 5.4.0 and nasm version was 2.11.08.

Also asm files in asm_obsolete dir to support old compiler and
assembler are regenerated without CC and ASM envs.

PR-URL: #16691
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@jasnell
Copy link
Member

jasnell commented Nov 3, 2017

Really not a fan of doing releases on a Friday. Can these wait until Monday?

@MylesBorins
Copy link
Contributor Author

CITGM is not as green as I couldn't find new failures as compared to the previous release that were not infrastructure related.

A large number of the failures are timeouts, and I believe that is mostly due to snapshots being turned off

Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    #13279
  - update root certificates (Ben Noordhuis)
    #12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    #13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    #16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    #13233

PR-URL: #16500
@MylesBorins
Copy link
Contributor Author

Hey all, I've updated the PR with notable changes. Please lmk if you think there should be any changes made.

@MylesBorins MylesBorins merged commit 449d60d into v4.x Nov 7, 2017
MylesBorins added a commit that referenced this pull request Nov 7, 2017
MylesBorins added a commit that referenced this pull request Nov 7, 2017
Notable Changes:

* **crypto**:
  - update root certificates (Ben Noordhuis)
    #13279
  - update root certificates (Ben Noordhuis)
    #12402
* **deps**:
  - add support for more modern versions of INTL (Bruno Pagani)
    #13040
  - upgrade openssl sources to 1.0.2m (Shigeki Ohtsu)
    #16691
  - upgrade openssl sources to 1.0.2l (Daniel Bevenius)
    #13233

PR-URL: #16500
@gibfahn gibfahn deleted the v4.8.6-proposal branch November 13, 2017 23:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build Issues and PRs related to build files or the CI. cares Issues and PRs related to the c-ares dependency or the cares_wrap binding. meta Issues and PRs related to the general management of the project. openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

Successfully merging this pull request may close these issues.