With this new release, OpenSSL has been upgraded to 1.0.1o to fix several security vulnerabilities. Two of them affect Node.js directly: Logjam and CVE-2015-1788.
Regarding Logjam, OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. It means that upgrading to this release of Node.js may prevent TLS clients written in node from connecting to servers using short DH parameters.
Although it is a breaking change in a maintenance version, the Node.js TSC determined that this is the best path forward to ensure the security of software written with this and future maintenance versions of node. Should you encounter any issue with this release related to TLS clients not being able to connect to servers using short DH keys, please create an issue at https://github.com/joyent/node/issues.
As for CVE-2015-1788, before this release, TLS programs (including servers) written with Node.js are vulnerable to Denial Of Service attacks.
2015.06.18, Version 0.10.39 (Maintenance)
openssl: upgrade to 1.0.1o (Addressing multiple CVEs)
install: fix source path for openssl headers (Oguz Bastemur)
install: make sure opensslconf.h is overwritten (Oguz Bastemur)
timers: fix timeout when added in timer's callback (Julien Gilli)
windows: broadcast WM_SETTINGCHANGE after install (Mathias Küsel)
Source Code: http://nodejs.org/dist/v0.10.39/node-v0.10.39.tar.gz
Macintosh Installer (Universal): http://nodejs.org/dist/v0.10.39/node-v0.10.39.pkg
Windows Installer: http://nodejs.org/dist/v0.10.39/node-v0.10.39-x86.msi
Windows x64 Installer: http://nodejs.org/dist/v0.10.39/x64/node-v0.10.39-x64.msi
Windows x64 Files: http://nodejs.org/dist/v0.10.39/x64/
Linux 32-bit Binary: http://nodejs.org/dist/v0.10.39/node-v0.10.39-linux-x86.tar.gz
Linux 64-bit Binary: http://nodejs.org/dist/v0.10.39/node-v0.10.39-linux-x64.tar.gz
Solaris 32-bit Binary: http://nodejs.org/dist/v0.10.39/node-v0.10.39-sunos-x86.tar.gz
Solaris 64-bit Binary: http://nodejs.org/dist/v0.10.39/node-v0.10.39-sunos-x64.tar.gz
Other release files: http://nodejs.org/dist/v0.10.39/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 f51855f96e3b69af87112161f155ac270eb5bd33 node-v0.10.39-darwin-x64.tar.gz 8316054cdd8cc482f3c6b89434c1fe224039bd26 node-v0.10.39-darwin-x86.tar.gz 97583ea9daf469bcb1691ac8a34fe5b64a8deaf5 node-v0.10.39-linux-x64.tar.gz d3038a590e99a6eb877b41b39aba503464766347 node-v0.10.39-linux-x86.tar.gz 7b8d190a2e17ad809c7b892178d5410f99328f76 node-v0.10.39-sunos-x64.tar.gz de09892495d8f6dec3031142ba47d5d02c8f53e7 node-v0.10.39-sunos-x86.tar.gz 2e019ab13a78fb994a8c6c10e72979b56ddaaf0d node-v0.10.39-x86.msi 2c1a7c3aea6dac03e49181f20c45b7d1315068a2 node-v0.10.39.pkg b53d33b5e1b980b2fe9009fec810187eaa6b8144 node-v0.10.39.tar.gz d556c55a815960e0ab705aa9225da996f47f3ef9 node.exe 75201237f362bb27af9652487fb5e74b90edc1ba node.exp 16d7d5029a0e9a0e21e04a522493a3d973a7eed0 node.lib 4e95ba82cc3fbd26d7da93549c7222ff941760a5 node.pdb b779fd3b7a70c688b7ab0313f2a62edac9b4cbe1 openssl-cli.exe 9642c12bbdbb03c163c5d3d9e539243730af0595 openssl-cli.pdb b1183e7597b9b9724bb1d9892843322afeca95aa x64/node-v0.10.39-x64.msi eb76635c7bd9a321ac6f97043226ece73bbc4df4 x64/node.exe fe6ae97961692d595706665533e23cc4d94d2087 x64/node.exp 9ded23cb299cf5d03e0f7783b5d195b1a3a91ff4 x64/node.lib 11832ff8d3409742a90be94738031ebb51c857ad x64/node.pdb 438e8cf3732b0116a7bee074afc6fbc48c45f0fb x64/openssl-cli.exe 1855d0a946882b9a4d39d57893ab4e2e3a3c9f02 x64/openssl-cli.pdb -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJViDuaAAoJEFCjBR+IjGKNff8P/jOOp4smwRKWfpi3stsorvlX 3jk/WNXOIUO/qnx5cJA0XrAxzmL+fOOWXlMaacJfAEiy96EQHryjuCasy1nrT+Ae 7qDoXJCnuCgnconV2RIP0otZmlHyTmxRA7DYwbhpOcScCqJoO4HV6fDo50pU+Bdg HBb5/M3Pm6Cep2Iuv54I1p0mbGVubZxfxmsjkLoEv4KIzmVFit65pZBSA+9DaomK QqTCnvWg/lCmnSrQQWTTFC0crqB6eO9PP/v63KUQc3G5K/FjhIfJ6j+PPvlBjOfx N37bxC6YJgVD0axyrxvh2VEhmsJZ06JiI1PUdp91C8klbOp6jeCLFFi5axA0Gjmr HN6ES5IfnZH26pUFB5M97Cydug+3tM9YPa9jVHwJUdgzNrSVxSlgdQHi4xVHnrTL xEESXQQWL7kYE+t9oy6i9B93FphsQvqiuI5i4QXj1WabCOEgywVWyZF741wkC8Lu Y/97CvcPNWoDHR7H+cbrO3B4iedFpKDaxNb1vrpZRgTHiohrkW8Ec2VB00RgCvJi pPKGxsv70Wby5V8at120CsPLuGW8xCihMpYRkSEyIZodrq0YCtN87COvPe7GpyFk PnfMhk0U9ANfeMFMK3qcDT+iQAHuLLmD3/aEN6RHc5b2fwyXc4+SqT55jpyegbb4 TbGw60glPAi+FQhZZoF0 =I4d1 -----END PGP SIGNATURE-----
2015.05.22, Version 0.12.4 (Stable)
npm: upgrade to 2.10.1
V8: revert v8 Array.prototype.values() removal (cjihrig)
win: bring back xp/2k3 support (Bert Belder)
Source Code: http://nodejs.org/dist/v0.12.4/node-v0.12.4.tar.gz
Macintosh Installer (Universal): http://nodejs.org/dist/v0.12.4/node-v0.12.4.pkg
Windows Installer: http://nodejs.org/dist/v0.12.4/node-v0.12.4-x86.msi
Windows x64 Installer: http://nodejs.org/dist/v0.12.4/x64/node-v0.12.4-x64.msi
Windows x64 Files: http://nodejs.org/dist/v0.12.4/x64/
Linux 32-bit Binary: http://nodejs.org/dist/v0.12.4/node-v0.12.4-linux-x86.tar.gz
Linux 64-bit Binary: http://nodejs.org/dist/v0.12.4/node-v0.12.4-linux-x64.tar.gz
Solaris 32-bit Binary: http://nodejs.org/dist/v0.12.4/node-v0.12.4-sunos-x86.tar.gz
Solaris 64-bit Binary: http://nodejs.org/dist/v0.12.4/node-v0.12.4-sunos-x64.tar.gz
Other release files: http://nodejs.org/dist/v0.12.4/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 bebda08e40413c17585fc333ba2ca55305b9d7ad node-v0.12.4-darwin-x64.tar.gz 79b097ba53bc50bf33b70767bc716c326952d683 node-v0.12.4-darwin-x86.tar.gz 9a832e42b8910a02573fea80bde29f86f7c71173 node-v0.12.4-linux-x64.tar.gz 6ea26f3ec48dc06abaedb0c918b1c0d9caafd836 node-v0.12.4-linux-x86.tar.gz 48934e6cf627fb1b2a54360b96f5545ad8401b2b node-v0.12.4-sunos-x64.tar.gz 4c5e434001b11553313187aa58eeafc2f7003fae node-v0.12.4-sunos-x86.tar.gz dbddd67f61c0a5428ad1078b9f7ffe43c4722f07 node-v0.12.4-x86.msi 39d360a8910707fa8dbdcc975d9eaa5225334943 node-v0.12.4.pkg 147ff79947752399b870fcf3f1fc37102100b545 node-v0.12.4.tar.gz c90d0a4a6e2e1b117f4959b8a20f01ab395af7a0 node.exe 382a83f002a7a3b4cdaf652b8e17b5d50a28f690 node.exp 0ac9dc8819b0b7ec4259167827952de6f99e1553 node.lib aab3ce0768bf1ffa6f5e9be10cc2e9d07bfb44a4 node.pdb 806b363c427149ff67e725708111ff16aabfdadc openssl-cli.exe 5882b1d72395628cafb061d32b14fbc22b8a4094 openssl-cli.pdb 69f15439af92c5e0beec02dc8145b74d98c103dd x64/node-v0.12.4-x64.msi cf6aba37acb1f1699ec87ea279da872953aab948 x64/node.exe 8005ad9da1702cc74bf37a0fd2e8c8dd01abc78e x64/node.exp 83cfd2d1cd51e94d7be5abe1593d845e5d72ef98 x64/node.lib 4f3a46c2f6416b0554f24e08b9b599655a3f4c9e x64/node.pdb 6aff9aff978b1ff2d35b55d060d89b53d5e48678 x64/openssl-cli.exe dd18b2b7eb0435071abb75893af197d15b33303f x64/openssl-cli.pdb -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVYCJhAAoJEFCjBR+IjGKN+UcQALEW1e3M0huwiU9gdCNhzfO/ BwoWtdLl+303lBRfQBpzOxJjqEZ+dA+GC0wTRO11Mq9B0Rx3gp1B9gjwoA/8W3ky 2BNICC9BBc8vL1r7I5XaH6U7YOhMru/XkL/8rOJYUBRod3o+4irAvOS9Xe9nRbII TKHOfaIqFvPTZMQgC2VW/GIVFE+JmY/7JZlVd1hCTKAHLk+PcaT9t3C1wyJO7qHV S0r5Hs2kT4xSxgsGx7jfBFAtqM/kXF5C/oBFefSpTQFm3n6qWmlTr6X+IogKrlud iBl1bV29kGkImzSPv1rDr8IJ3/tQdPNzzt5RFiWD8ezXjzu3dMI5SioPzRmXy+uw DvaUE3ub8dzgqImybUFx5+BpqiWQEhIBEnBFWEmDq1yabqxRM1xJiQOz2Ui6i1Ms C90WGm2uXQFVZasaVrDnbQfFtSSpuvEBmByNIe7fbZ92YnSLFhQ26TvZ6xDt/Ef/ uwFAx8HE1cbke2hUAgZjj3NWeNsCFyyrMsaQnU6pJOxPgJJmr/04lvw3e1IIaF37 3BN3sRlHgs+iRwMdxpaCwJKfY4cIVZl+Ezm1kJ9ekQyhIlSl+tJBHzJYCQDcpVYd A2zw5k2w5uWbiEuFuacgvTtoCiXQiaxBESufvvzAOiSnb+8JcPvrpPmB1eOnWO2J H1c+UgMLjJvkLtI7gHs8 =Lr9D -----END PGP SIGNATURE-----
Node.js and io.js leaders are building an open, neutral Node.js Foundation to support the future of the platform
Just a couple months ago a variety of members of the Node.js and io.js community announced they would discuss establishing a neutral foundation for the community. The Linux Foundation has since been helping guide discussions with contributors, developers, users and leaders in these communities, increasingly expanding the scope of discussion to more stakeholders. Node.js and io.js have a long, complex history and the facilitated discussions have brought together key leaders to focus on what the future might mean for these technologies.
A lot of progress has been made in just a few short months, and we're entering the final stages of discussions and decisions that will guide the projects forward. Most recently the io.js TC voted to join in the Foundation effort and planning is already underway to begin the process of converging the codebases. The neutral organization, or foundation, will be a key element of that work and has been discussed at length by those involved. When a technology and community reach a level of maturity and adoption that outgrows one company or project, a foundation becomes a critical enabler for ongoing growth.
Foundations can be used to support industrial-scale open source projects that require a legal entity to hold assets or conduct business (hiring, internship programs, compliance, licensing trademarks, marketing and event services, fundraising, etc). Ultimately foundations enable communities to participate in large scale collaboration under agreed upon terms that no one company, person or entity can change or dictate.
It's important to note that while critical, an open governance model does not guarantee success or growth. The io.js project has a strong developer community, for example, but to grow further needs a model to enable funding and investments in the project. If you haven't already, please take a look at Mikeal Rogers blog post. The Node.js community has needed an avenue for other companies to participate as equals in a neutral field. rowing a community and widening the adoption of a technology all takes resources and a governance model that serves everyone involved. A foundation becomes the place where participants can meet, agree on paths forward, ensure a neutral playing field in the community and invest resources to grow the community even more. It can also allow for broad community engagement through liberal contribution policies, community self organization and working groups.
At The Linux Foundation, we've helped set up neutral organizations that support a variety of open source projects and communities through open and neutral governance and believe the future is bright for the Node.js and io.js communities. The technology being created has incredible value and expanding use cases,which is why getting the governance model and defining the role of the Foundation to support the developer community is the number one priority.
While I'm a relative "newbie" to both the Node.js and io.js communities, I've been able to identify with our team at Linux Foundation a number of opportunities, as well as very common challenges in both communities that relate to other projects we've helped before. What we've found is the challenges the Node.js and io.js communities have are not unique; many open source projects struggle with the same challenges and many have been successful. As I've previously written on Linux.com, there are five key features that we see in successful open governance:
- open participation
- open, transparent technical decision making
- open design and architecture
- an open source license
- an open, level playing field for intellectual property.
I think these same features apply to the case for a foundation in the Node.js and io.js communities. The io.js project has certainly been founded on many of these principles and has taken off in terms of growing its developer community. Many in the io.js community joined because they felt these principles were not present elsewhere. For all of these reasons, we leveraged the governance provisions from io.js to draft proposals for the technical community governance.
Now I'd like to share specific next steps for establishing the Node.js Foundation (all of this is of course subject to change based on input from the communities). We've started with a core group that offered advice on how to address key governance issues. We've expanded the circle to the technical committees of both communities and are now taking the discussion to the entirety of both communities.
Draft technical governance documents are up for review and comment.
The Foundation Bylaws and Membership Agreements based on our LF templates are available for companies to sign up as members. There is no need to sign any agreements as a community developer. If your company is interested in participating, now is the time to sign up.
Hold elections for the foundation's Gold and Silver member Board Directors and the Technical Steering Committee elects a TSC Chair. The process typically entails 1 week of nominations, 3-5 days of voting and then announcing the election winners.
Set up an initial Board meeting, likely mid-June. The first Board meeting will put in place all of the key legal documents, policies, operations, etc that are being discussed (the reason for wrapping up edits on May 8).
Initiate TSC meetings under the new foundation by upon resolution of both technical committees. The TSC will meet regularly on open, recorded calls. Details will be posted on a foundation wiki or page. The combined io.js and Node.js TCs have been meeting roughly every other week to work through the Convergence planning.
May 25 - June 5: Announce the new foundation, members, initial Board Directors (elections may be pending), TSC members and any reconciliation plans agreed to by the TSC (if ready).
And so I ask both communities to review the ideas being proposed, including how best to align goals, align resources and establish a platform for growing adoption of an amazing technology the development community working to build. I would like to thank the people building this future. Some you know; others you do not. It takes a lot of personal strength to voice opinions and stand up for new ideas in large communities. I appreciate the candor of the discussions but also ask you to seek out those putting forth ideas to understand them and to question them in a constructive dialogue. This community has another decade or more ahead of it; now is the time to set the right foundational elements to move forward.
When I joined Joyent last summer I quickly realized that, despite the huge success of Node.js in the market and the tireless work of many here at Joyent, there were challenges in the project that we needed to address. Through discussions with various project contributors, Node.js users, ecosystem vendors and the Node.js Advisory Board, it became clear that the best way to address the concerns of all key stakeholders (and the best thing for Node.js as a whole) was to establish the Foundation as a path for the future.
The biggest and most obvious challenge we sought to address with the Foundation was the friction that existed amongst some developers in the Node.js community. Historically, leadership ran the project fairly tightly, with a small core of developers working in a BDFL model. It was difficult for new people to join the project, and there wasn’t enough transparency for such a diverse, passionate community to have a sense of ownership. Consequently, a group of developers who wanted to operate under a more open governance model created the io.js fork. That team has done a great job innovating on governance and engagement models, and the Node.js Foundation’s models will be based on those policies to ensure broader community engagement in the future of Node.js. We welcome community review and feedback on the draft governance documents.
With the recent vote by the io.js TC to join the Node.js Foundation, we took a giant leap toward rebuilding a unified community. @mikeal, @piscisaureus and others have done an excellent job evangelizing the value of the Foundation, and it’s great to see it have such positive impact this early in its formation.
In the user community, enterprise adoption of Node.js has skyrocketed with an abundance of success stories. But behind every successful project is someone who is betting their career on the choice to build with Node.js. Their primary “ask” is to de-risk the project. They want stable, production-grade code that will handle their technical requirements and an LTS that matches what they get from other software. The Foundation will get that right. Donations to the Foundation will provide the resources we need to broaden and automate the necessary test suites and expand coverage across a large set of platforms. We are working now on codifying the LTS policy (comments welcome here) and will establish the right 6-9 month release cadence with rigor on backward compatibility and EOL horizon.
Users also want the project to be insulated from the direction of any single company or individual. Putting the project into a foundation insulates it from the commercial aspirations of Joyent or any other single company. It also facilitates the creation of the vibrant vendor ecosystem around Node.js that users want. Users want to see relevant innovation from a strong group of contributors and vendors.
The vendors themselves have a clear set of requirements that can best be addressed by the Foundation. They want a level playing field and they want to know they can monetize the contributions they make to the project. We need a vibrant ecosystem to complete the solution for the users of Node.js and drive additional value and innovation around the core project. The ecosystem is the force multiplier of value for every piece of technology and Node.js is no exception.
Finally, in addition to risk mitigation, transparency, neutrality and an open governance model, the Foundation will provide needed resources. Over the past few years Joyent and other members of the community have invested thousands of hours and millions of dollars into the project, and much has been accomplished. Going forward, Joyent will continue to invest aggressively in the success and growth of Node.js. But now, with the support of new Foundation members, we will be able to do even more. Investments from new members can be used to expand coverage of testing harnesses, establish API compatibility tests and certifications, extend coverage for additional platforms, underwrite travel expenses for technical meetups for core contributors, build training programs for users and developers, expand community development efforts, fund full-time developers and more.
I’m convinced the Foundation is the best vehicle for balancing the needs of Node.js users, vendors and contributors. The project has a brilliant future ahead of it and I am more optimistic than ever that we can work together as one strong community to secure that future.