---
- branch: MAIN
  date: Wed Sep 28 11:10:44 UTC 2016
  files:
  - new: '1.76'
    old: '1.75'
    path: pkgsrc/lang/nodejs/Makefile
    pathrev: pkgsrc/lang/nodejs/Makefile@1.76
    type: modified
  - new: '1.75'
    old: '1.74'
    path: pkgsrc/lang/nodejs/distinfo
    pathrev: pkgsrc/lang/nodejs/distinfo@1.75
    type: modified
  id: 20160928T111044Z.5443acf76e9aae8849f76effc0db9c1c8b3576c7
  log: |
    Update lang/nodejs to 6.7.0

    - openssl: Remove support for loading dynamic third-party engine
      modules. An attacker may be able to hide malicious code to be
      inserted into Node.js at runtime by masquerading as one of the
      dynamic engine modules.
    - http: CVE-2016-5325 - Properly validate for allowable characters
      in the reason argument in ServerResponse#writeHead().
    - buffer: Zero-fill excess bytes in new Buffer objects created
      with Buffer.concat() while providing a totalLength parameter
      that exceeds the total length of the original Buffer objects
      being concatenated.
    - src: Fix regression where passing an empty password and/or salt
      to crypto.pbkdf2() would cause a fatal error
    - tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
      check whereby a TLS server may be able to serve an invalid
      wildcard certificate for its hostname due to improper validation
      of *. in the wildcard string.
    - v8: Fix regression where a regex on a frozen object was broken
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/lang/nodejs'
  unixtime: '1475061044'
  user: fhajny