Release proposal: v2.3.4 #2115
Release proposal: v2.3.4 #2115
Conversation
Fishrock123
added
the
meta
|
For reference, "high" is the highest severity level they report and is described as:
|
|
This is pretty awful :( |
|
I can work on it as soon as it is released on July 9th. It usually around 15:00 GMT for these days. |
|
@shigeki I can do it if the time is inconvenient for you. 15.00 GMT is in the afternoon for me and I assume an upgrade isn't any more complicated than applying the diff and maybe regenerating the assembly code. |
|
@bnoordhuis Thanks for your offer. I will give over to you if I cannot make it. But I have to stay up until release in order to update my servers as it fixes a high severity. In the next time of release if a low severity, I'm going to ask someone volunteer in colaborators to work on upgrading with me. |
|
The openssl-1.0.2d has just been released. The vulnerability of Alternative chains certificate forgery (CVE-2015-1793) affects tls.client connection so I update it right now. |
|
Converted to PR, PTAL. |
|
|
||
| ### Notable changes | ||
|
|
||
| * **openssl**: Upgrade to 1.0.2d, fixes CVE-2015-1793 (Alternate Chains Certificate Forgery). |
There was a problem hiding this comment.
There is a PR for this now. #2141
|
The eagle, I mean #2141, has landed. |
|
@bnoordhuis ;-) 👍 |
Fishrock123
force-pushed
the
release-2.3.4
branch
from
0c2140d
to
be0e0ff
Compare
|
@Fishrock123 Is this CI run for cutting the release? |
Notable changes * openssl: Upgrade to 1.0.2d, fixes CVE-2015-1793 (Alternate Chains Certificate Forgery). * npm: Upgraded to v2.12.1, release notes can be found in https://github.com/npm/npm/releases/tag/v2.12.0 and https://github.com/npm/npm/releases/tag/v2.12.1 (Kat Marchán) nodejs#2112.
Fishrock123
force-pushed
the
release-2.3.4
branch
from
be0e0ff
to
1a340a8
Compare
|
@thefourtheye that is for testing, I'll start the build process soon. |
|
@Fishrock123 Okay, cool. 👍 I thought that the last CI run against the |
|
Release building off this branch for now: https://jenkins-iojs.nodesource.com/job/iojs+release/36/ |
|
Ah fudge I forgot to add PR-URL on the release commits, too late now. Release is up at https://iojs.org/dist/v2.3.4/ |
|
cc @nodejs/evangelism can I get retweets for https://twitter.com/Fishrock123/status/619249815029854208 and https://twitter.com/Fishrock123/status/619261517901344768? :D |
|
@Fishrock123 Done 👍 Actually, hash-tagging with io.js or nodejs reaches more eyes, I think. |
|
how can these openssl security update affecting node.js/iojs as other language are not updating (like Ruby/Java) ? |
|
@chetandhembre because node and iojs bundles openssl while the others you referred to aren't. |
|
@jbergstroem but why node.js/io.js bundle openssl ? any specific reason not to use os level openssl. |
|
@chetandhembre Because distro's often ship old versions that lack features we want. |
|
@bnoordhuis thanks !! |
|
@Fishrock123 did we get armv6 builds for this? |
|
Oh dang, let me do that right now. I got pretty carried away with Cascadia and didn't even really have my laptop out on friday. |
|
@rvagg done! :) (1.8.4 also) |
|
@Fishrock123 I dont see it built here https://jenkins-iojs.nodesource.com/job/iojs+release/36/. How is it actually done? |
|
@thefourtheye they are built from the pi1-raspbian-wheezy machine. |
|
@Fishrock123 Ah, thanks :-) |
There will be a "high" severity fix to OpenSSL this thursday. See https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html
We should probably look at having a release that day, if possible.
cc @shigeki / @indutny
0d15161c24] - benchmark: Add some path benchmarks for path: refactor for performance and consistency #1778 (Nathan Woltman) #1778b18c841ec1] - deps: make node-gyp work with io.js (cjihrig) iojs/io.js#990863cdbdd08] - deps: upgrade to npm 2.12.1 (Kat Marchán) #211284b3915764] - doc: document current release procedure (Rod Vagg) #209946140334cd] - doc: update AUTHORS list (Rod Vagg) #2100bca53dce76] - path: refactor for performance and consistency (Nathan Woltman) #17786bef15afe7] - src: remove traceSyncIO property from process (Bradley Meck) #21432ba1740ba1] - test: add missing crypto checks (Johan Bergström) #2129180fd392ca] - test: refactor test-repl-tab-complete (Sakthipriyan Vairamani) #2122fb05c8e27d] - _Revert_ "test: add test for missingclose/finishevent" (Fedor Indutny)9436a860cb] - test: add test for missingclose/finishevent (Mark Plomer) iojs/io.js#1373ee3ce2ed88] - tools: install gdbinit from v8 to $PREFIX/share (Ali Ijaz Sheikh) #2123dd523c75da] - win,node-gyp: enable delay-load hook by default (Bert Belder) iojs/io.js#1433