Mon, 22 Jun 2015 19:52:51 UTC - release

With this new release, OpenSSL has been upgraded to 1.0.1o to fix several security vulnerabilities. Two of them affect Node.js directly: Logjam and CVE-2015-1788.

Regarding Logjam, OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. It means that upgrading to this release of Node.js may prevent TLS clients written in node from connecting to servers using short DH parameters.

Although it is a breaking change in a stable version, the Node.js TSC determined that this is the best path forward to ensure the security of software written with this and future stable versions of node. Should you encounter any issue with this release related to TLS clients not being able to connect to servers using short DH keys, please create an issue at https://github.com/joyent/node/issues.

As for CVE-2015-1788, before this release, TLS programs (including servers) written with Node.js are vulnerable to Denial Of Service attacks.

2015.06.22, Version 0.12.5 (Stable)

  • openssl: upgrade to 1.0.1o (Addressing multiple CVEs)

  • npm: upgrade to 2.11.2

  • uv: upgrade to 1.6.1

  • V8: avoid deadlock when profiling is active (Dmitri Melikyan)

  • install: fix source path for openssl headers (Oguz Bastemur)

  • install: make sure opensslconf.h is overwritten (Oguz Bastemur)

  • timers: fix timeout when added in timer's callback (Julien Gilli)

  • windows: broadcast WM_SETTINGCHANGE after install (Mathias Küsel)

Source Code: http://nodejs.org/dist/v0.12.5/node-v0.12.5.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.12.5/node-v0.12.5.pkg

Windows Installer: http://nodejs.org/dist/v0.12.5/node-v0.12.5-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.12.5/x64/node-v0.12.5-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.12.5/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.12.5/node-v0.12.5-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.12.5/node-v0.12.5-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.12.5/node-v0.12.5-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.12.5/node-v0.12.5-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.12.5/

Website: http://nodejs.org/docs/v0.12.5/

Documentation: http://nodejs.org/docs/v0.12.5/api/

Shasums:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

a31674f017aa7bfff6d73d2d62501e78e19f2856  node-v0.12.5-darwin-x64.tar.gz
648c4da8bdb6bf0daadfa11a1f59dc5f354179f3  node-v0.12.5-darwin-x86.tar.gz
d06b46e4b9064b12c3cdb65defaf27b968262856  node-v0.12.5-linux-x64.tar.gz
2b5e20fcb362f34df5508b8334d52514701aa15f  node-v0.12.5-linux-x86.tar.gz
2dbc96c33dced5dc4632588035f92afdedaf0ff0  node-v0.12.5-sunos-x64.tar.gz
27eda0e7cd5cd748919055b22683ce0770ce1906  node-v0.12.5-sunos-x86.tar.gz
dd45f1fad6a32686afee6fc9b3353380481a9bec  node-v0.12.5-x86.msi
f5888618555f97c3d67366f11abaf097491ae6f4  node-v0.12.5.pkg
baecde8c2d297aa001a2a8ba2f2d086d970a13eb  node-v0.12.5.tar.gz
f4c8c81c60ed4ad1be2f2df93c0a99c9ba94a1e7  node.exe
2e6912adf6b1cfa3c818770bcd3c09882afcbf7c  node.exp
e88ff96166822f75d31b246358e13e814ddfc2d9  node.lib
9007edd47eeaa4d14329d879f4248ac42869676f  node.pdb
45e946f6ad94e2225c2f2c5081bd6bfa5dad3a5f  openssl-cli.exe
27ea2047ef5ccf0ebdb8b1a9c61e0c35d36c2c6c  openssl-cli.pdb
689e1dbedf5dac5b900584e878024ab3f31111a6  x64/node-v0.12.5-x64.msi
00652c22276b1e7b0b307437219efc3431446100  x64/node.exe
8888e187bfb8dc1f18f6e1284c46014bf97dbadb  x64/node.exp
c9ba1d50d1c962c169a0d47c8ab1f834ab637621  x64/node.lib
149ec0193bef26c57dc420dfe00f928bb4b7a579  x64/node.pdb
5cc07312c39b18ba27229919114b6b09724c9fb3  x64/openssl-cli.exe
590fb71ca72c876bbaad5e5ee6fe85acf406fe40  x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJViGeDAAoJEFCjBR+IjGKN4OIP/iCxMMLAKTqlrSma5wiztO82
1ff4yE8rCs0jiGZVgTucmaI7j5fGFHJi1sbsBqqAeda3IYAEq+lL180YioHR8KlS
47cTvqeTnjIj1JhzhhRcGxs17IyK7YFJJmEQ+54XdYDB0dHDJM/UXy8ySiCxBdTf
c1Kzi6OGp7qmSAOdIo76q63AxWzKL5jVrxkBBmtyJFr6EW4xTkz98GDLaK+GeBHT
cdpcInYbtJpWNm/8XOfZqAR0tW4HZ6tYHuSxvaZh18YDd+SNsQgLCmR56pLEMkaw
frgfNje37r6jjx1f1GkpbdQHSVjFUZiiwTyKP7eTDMrjttRuYZk+VUCyh/abqZZ3
dfz9Ue22z5ZJyb9L3adrYATrGKBfkhwljcAgYCaGXOokKRZis8BkZJIQUbHI/jZr
/p2hg413EWYoV+ra0a6qjci0JufNJ5Y+02K3XS+qr0lGS4WICEgtni3p0VhWkKO4
ppYgJD4QhQVyH22fi0LklMoX2VO/iyDaNUKHOOHC1QnGQy/5bIGWE4IcSTWFXIpa
hXJT/UmGe7WXup+AQ53E2jzFK2xKX5qnRBGZWjUKQE+nT4o06QNbupZfMckGc8YO
yF1TCguhR+1oglGZbLyvPfCDuD8gJcI76LhDFkoztQbAmiNZql4CbmOw+R5ebDe+
E2abSYUpsCAZCr+Edudl
=Vxgb
-----END PGP SIGNATURE-----

Mon, 22 Jun 2015 16:45:28 UTC - release

With this new release, OpenSSL has been upgraded to 1.0.1o to fix several security vulnerabilities. Two of them affect Node.js directly: Logjam and CVE-2015-1788.

Regarding Logjam, OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. It means that upgrading to this release of Node.js may prevent TLS clients written in node from connecting to servers using short DH parameters.

Although it is a breaking change in a maintenance version, the Node.js TSC determined that this is the best path forward to ensure the security of software written with this and future maintenance versions of node. Should you encounter any issue with this release related to TLS clients not being able to connect to servers using short DH keys, please create an issue at https://github.com/joyent/node/issues.

As for CVE-2015-1788, before this release, TLS programs (including servers) written with Node.js are vulnerable to Denial Of Service attacks.

2015.06.18, Version 0.10.39 (Maintenance)

  • openssl: upgrade to 1.0.1o (Addressing multiple CVEs)

  • install: fix source path for openssl headers (Oguz Bastemur)

  • install: make sure opensslconf.h is overwritten (Oguz Bastemur)

  • timers: fix timeout when added in timer's callback (Julien Gilli)

  • windows: broadcast WM_SETTINGCHANGE after install (Mathias Küsel)

Source Code: http://nodejs.org/dist/v0.10.39/node-v0.10.39.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.39/node-v0.10.39.pkg

Windows Installer: http://nodejs.org/dist/v0.10.39/node-v0.10.39-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.10.39/x64/node-v0.10.39-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.10.39/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.10.39/node-v0.10.39-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.10.39/node-v0.10.39-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.10.39/node-v0.10.39-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.10.39/node-v0.10.39-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.10.39/

Website: http://nodejs.org/docs/v0.10.39/

Documentation: http://nodejs.org/docs/v0.10.39/api/

Shasums:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

f51855f96e3b69af87112161f155ac270eb5bd33  node-v0.10.39-darwin-x64.tar.gz
8316054cdd8cc482f3c6b89434c1fe224039bd26  node-v0.10.39-darwin-x86.tar.gz
97583ea9daf469bcb1691ac8a34fe5b64a8deaf5  node-v0.10.39-linux-x64.tar.gz
d3038a590e99a6eb877b41b39aba503464766347  node-v0.10.39-linux-x86.tar.gz
7b8d190a2e17ad809c7b892178d5410f99328f76  node-v0.10.39-sunos-x64.tar.gz
de09892495d8f6dec3031142ba47d5d02c8f53e7  node-v0.10.39-sunos-x86.tar.gz
2e019ab13a78fb994a8c6c10e72979b56ddaaf0d  node-v0.10.39-x86.msi
2c1a7c3aea6dac03e49181f20c45b7d1315068a2  node-v0.10.39.pkg
b53d33b5e1b980b2fe9009fec810187eaa6b8144  node-v0.10.39.tar.gz
d556c55a815960e0ab705aa9225da996f47f3ef9  node.exe
75201237f362bb27af9652487fb5e74b90edc1ba  node.exp
16d7d5029a0e9a0e21e04a522493a3d973a7eed0  node.lib
4e95ba82cc3fbd26d7da93549c7222ff941760a5  node.pdb
b779fd3b7a70c688b7ab0313f2a62edac9b4cbe1  openssl-cli.exe
9642c12bbdbb03c163c5d3d9e539243730af0595  openssl-cli.pdb
b1183e7597b9b9724bb1d9892843322afeca95aa  x64/node-v0.10.39-x64.msi
eb76635c7bd9a321ac6f97043226ece73bbc4df4  x64/node.exe
fe6ae97961692d595706665533e23cc4d94d2087  x64/node.exp
9ded23cb299cf5d03e0f7783b5d195b1a3a91ff4  x64/node.lib
11832ff8d3409742a90be94738031ebb51c857ad  x64/node.pdb
438e8cf3732b0116a7bee074afc6fbc48c45f0fb  x64/openssl-cli.exe
1855d0a946882b9a4d39d57893ab4e2e3a3c9f02  x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJViDuaAAoJEFCjBR+IjGKNff8P/jOOp4smwRKWfpi3stsorvlX
3jk/WNXOIUO/qnx5cJA0XrAxzmL+fOOWXlMaacJfAEiy96EQHryjuCasy1nrT+Ae
7qDoXJCnuCgnconV2RIP0otZmlHyTmxRA7DYwbhpOcScCqJoO4HV6fDo50pU+Bdg
HBb5/M3Pm6Cep2Iuv54I1p0mbGVubZxfxmsjkLoEv4KIzmVFit65pZBSA+9DaomK
QqTCnvWg/lCmnSrQQWTTFC0crqB6eO9PP/v63KUQc3G5K/FjhIfJ6j+PPvlBjOfx
N37bxC6YJgVD0axyrxvh2VEhmsJZ06JiI1PUdp91C8klbOp6jeCLFFi5axA0Gjmr
HN6ES5IfnZH26pUFB5M97Cydug+3tM9YPa9jVHwJUdgzNrSVxSlgdQHi4xVHnrTL
xEESXQQWL7kYE+t9oy6i9B93FphsQvqiuI5i4QXj1WabCOEgywVWyZF741wkC8Lu
Y/97CvcPNWoDHR7H+cbrO3B4iedFpKDaxNb1vrpZRgTHiohrkW8Ec2VB00RgCvJi
pPKGxsv70Wby5V8at120CsPLuGW8xCihMpYRkSEyIZodrq0YCtN87COvPe7GpyFk
PnfMhk0U9ANfeMFMK3qcDT+iQAHuLLmD3/aEN6RHc5b2fwyXc4+SqT55jpyegbb4
TbGw60glPAi+FQhZZoF0
=I4d1
-----END PGP SIGNATURE-----

Sat, 23 May 2015 06:47:12 UTC - release

2015.05.22, Version 0.12.4 (Stable)

  • npm: upgrade to 2.10.1

  • V8: revert v8 Array.prototype.values() removal (cjihrig)

  • win: bring back xp/2k3 support (Bert Belder)

Source Code: http://nodejs.org/dist/v0.12.4/node-v0.12.4.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.12.4/node-v0.12.4.pkg

Windows Installer: http://nodejs.org/dist/v0.12.4/node-v0.12.4-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.12.4/x64/node-v0.12.4-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.12.4/x64/

Linux 32-bit Binary: http://nodejs.org/dist/v0.12.4/node-v0.12.4-linux-x86.tar.gz

Linux 64-bit Binary: http://nodejs.org/dist/v0.12.4/node-v0.12.4-linux-x64.tar.gz

Solaris 32-bit Binary: http://nodejs.org/dist/v0.12.4/node-v0.12.4-sunos-x86.tar.gz

Solaris 64-bit Binary: http://nodejs.org/dist/v0.12.4/node-v0.12.4-sunos-x64.tar.gz

Other release files: http://nodejs.org/dist/v0.12.4/

Website: http://nodejs.org/docs/v0.12.4/

Documentation: http://nodejs.org/docs/v0.12.4/api/

Shasums:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

bebda08e40413c17585fc333ba2ca55305b9d7ad  node-v0.12.4-darwin-x64.tar.gz
79b097ba53bc50bf33b70767bc716c326952d683  node-v0.12.4-darwin-x86.tar.gz
9a832e42b8910a02573fea80bde29f86f7c71173  node-v0.12.4-linux-x64.tar.gz
6ea26f3ec48dc06abaedb0c918b1c0d9caafd836  node-v0.12.4-linux-x86.tar.gz
48934e6cf627fb1b2a54360b96f5545ad8401b2b  node-v0.12.4-sunos-x64.tar.gz
4c5e434001b11553313187aa58eeafc2f7003fae  node-v0.12.4-sunos-x86.tar.gz
dbddd67f61c0a5428ad1078b9f7ffe43c4722f07  node-v0.12.4-x86.msi
39d360a8910707fa8dbdcc975d9eaa5225334943  node-v0.12.4.pkg
147ff79947752399b870fcf3f1fc37102100b545  node-v0.12.4.tar.gz
c90d0a4a6e2e1b117f4959b8a20f01ab395af7a0  node.exe
382a83f002a7a3b4cdaf652b8e17b5d50a28f690  node.exp
0ac9dc8819b0b7ec4259167827952de6f99e1553  node.lib
aab3ce0768bf1ffa6f5e9be10cc2e9d07bfb44a4  node.pdb
806b363c427149ff67e725708111ff16aabfdadc  openssl-cli.exe
5882b1d72395628cafb061d32b14fbc22b8a4094  openssl-cli.pdb
69f15439af92c5e0beec02dc8145b74d98c103dd  x64/node-v0.12.4-x64.msi
cf6aba37acb1f1699ec87ea279da872953aab948  x64/node.exe
8005ad9da1702cc74bf37a0fd2e8c8dd01abc78e  x64/node.exp
83cfd2d1cd51e94d7be5abe1593d845e5d72ef98  x64/node.lib
4f3a46c2f6416b0554f24e08b9b599655a3f4c9e  x64/node.pdb
6aff9aff978b1ff2d35b55d060d89b53d5e48678  x64/openssl-cli.exe
dd18b2b7eb0435071abb75893af197d15b33303f  x64/openssl-cli.pdb
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJVYCJhAAoJEFCjBR+IjGKN+UcQALEW1e3M0huwiU9gdCNhzfO/
BwoWtdLl+303lBRfQBpzOxJjqEZ+dA+GC0wTRO11Mq9B0Rx3gp1B9gjwoA/8W3ky
2BNICC9BBc8vL1r7I5XaH6U7YOhMru/XkL/8rOJYUBRod3o+4irAvOS9Xe9nRbII
TKHOfaIqFvPTZMQgC2VW/GIVFE+JmY/7JZlVd1hCTKAHLk+PcaT9t3C1wyJO7qHV
S0r5Hs2kT4xSxgsGx7jfBFAtqM/kXF5C/oBFefSpTQFm3n6qWmlTr6X+IogKrlud
iBl1bV29kGkImzSPv1rDr8IJ3/tQdPNzzt5RFiWD8ezXjzu3dMI5SioPzRmXy+uw
DvaUE3ub8dzgqImybUFx5+BpqiWQEhIBEnBFWEmDq1yabqxRM1xJiQOz2Ui6i1Ms
C90WGm2uXQFVZasaVrDnbQfFtSSpuvEBmByNIe7fbZ92YnSLFhQ26TvZ6xDt/Ef/
uwFAx8HE1cbke2hUAgZjj3NWeNsCFyyrMsaQnU6pJOxPgJJmr/04lvw3e1IIaF37
3BN3sRlHgs+iRwMdxpaCwJKfY4cIVZl+Ezm1kJ9ekQyhIlSl+tJBHzJYCQDcpVYd
A2zw5k2w5uWbiEuFuacgvTtoCiXQiaxBESufvvzAOiSnb+8JcPvrpPmB1eOnWO2J
H1c+UgMLjJvkLtI7gHs8
=Lr9D
-----END PGP SIGNATURE-----

Fri, 15 May 2015 23:50:46 UTC - Mike Dolan - Community

Just a couple months ago a variety of members of the Node.js and io.js community announced they would discuss establishing a neutral foundation for the community. The Linux Foundation has since been helping guide discussions with contributors, developers, users and leaders in these communities, increasingly expanding the scope of discussion to more stakeholders. Node.js and io.js have a long, complex history and the facilitated discussions have brought together key leaders to focus on what the future might mean for these technologies.

A lot of progress has been made in just a few short months, and we're entering the final stages of discussions and decisions that will guide the projects forward. Most recently the io.js TC voted to join in the Foundation effort and planning is already underway to begin the process of converging the codebases. The neutral organization, or foundation, will be a key element of that work and has been discussed at length by those involved. When a technology and community reach a level of maturity and adoption that outgrows one company or project, a foundation becomes a critical enabler for ongoing growth.

Foundations can be used to support industrial-scale open source projects that require a legal entity to hold assets or conduct business (hiring, internship programs, compliance, licensing trademarks, marketing and event services, fundraising, etc). Ultimately foundations enable communities to participate in large scale collaboration under agreed upon terms that no one company, person or entity can change or dictate.

It's important to note that while critical, an open governance model does not guarantee success or growth. The io.js project has a strong developer community, for example, but to grow further needs a model to enable funding and investments in the project. If you haven't already, please take a look at Mikeal Rogers blog post. The Node.js community has needed an avenue for other companies to participate as equals in a neutral field. rowing a community and widening the adoption of a technology all takes resources and a governance model that serves everyone involved. A foundation becomes the place where participants can meet, agree on paths forward, ensure a neutral playing field in the community and invest resources to grow the community even more. It can also allow for broad community engagement through liberal contribution policies, community self organization and working groups.

At The Linux Foundation, we've helped set up neutral organizations that support a variety of open source projects and communities through open and neutral governance and believe the future is bright for the Node.js and io.js communities. The technology being created has incredible value and expanding use cases,which is why getting the governance model and defining the role of the Foundation to support the developer community is the number one priority.

While I'm a relative "newbie" to both the Node.js and io.js communities, I've been able to identify with our team at Linux Foundation a number of opportunities, as well as very common challenges in both communities that relate to other projects we've helped before. What we've found is the challenges the Node.js and io.js communities have are not unique; many open source projects struggle with the same challenges and many have been successful. As I've previously written on Linux.com, there are five key features that we see in successful open governance:

  1. open participation
  2. open, transparent technical decision making
  3. open design and architecture
  4. an open source license
  5. an open, level playing field for intellectual property.

I think these same features apply to the case for a foundation in the Node.js and io.js communities. The io.js project has certainly been founded on many of these principles and has taken off in terms of growing its developer community. Many in the io.js community joined because they felt these principles were not present elsewhere. For all of these reasons, we leveraged the governance provisions from io.js to draft proposals for the technical community governance.

Now I'd like to share specific next steps for establishing the Node.js Foundation (all of this is of course subject to change based on input from the communities). We've started with a core group that offered advice on how to address key governance issues. We've expanded the circle to the technical committees of both communities and are now taking the discussion to the entirety of both communities.

  1. Draft technical governance documents are up for review and comment.

  2. The Foundation Bylaws and Membership Agreements based on our LF templates are available for companies to sign up as members. There is no need to sign any agreements as a community developer. If your company is interested in participating, now is the time to sign up.

  3. Hold elections for the foundation's Gold and Silver member Board Directors and the Technical Steering Committee elects a TSC Chair. The process typically entails 1 week of nominations, 3-5 days of voting and then announcing the election winners.

  4. Set up an initial Board meeting, likely mid-June. The first Board meeting will put in place all of the key legal documents, policies, operations, etc that are being discussed (the reason for wrapping up edits on May 8).

  5. Initiate TSC meetings under the new foundation by upon resolution of both technical committees. The TSC will meet regularly on open, recorded calls. Details will be posted on a foundation wiki or page. The combined io.js and Node.js TCs have been meeting roughly every other week to work through the Convergence planning.

  6. May 25 - June 5: Announce the new foundation, members, initial Board Directors (elections may be pending), TSC members and any reconciliation plans agreed to by the TSC (if ready).

And so I ask both communities to review the ideas being proposed, including how best to align goals, align resources and establish a platform for growing adoption of an amazing technology the development community working to build. I would like to thank the people building this future. Some you know; others you do not. It takes a lot of personal strength to voice opinions and stand up for new ideas in large communities. I appreciate the candor of the discussions but also ask you to seek out those putting forth ideas to understand them and to question them in a constructive dialogue. This community has another decade or more ahead of it; now is the time to set the right foundational elements to move forward.

Page 2 →