[0.10] deps: update libuv to 0.10.37

[saghul]

Fixes: #7199
Refs: #2723

/cc @nodejs/collaborators

[saghul]

CI: https://ci.nodejs.org/job/node-test-commit/3736/

[rvagg]

test-stdout-close-catch failure on Windows is the only suspicious one I see in there. https://ci.nodejs.org/job/node-test-commit/3737/ for good measure.

@saghul is there anything else in here that we should be concerned about? I'm thinking that if we ship this in our security update this week what is the potential for unintended breakages beyond just the rwlocks fix?

[rvagg]

Bad params for that CI run, trying again @ https://ci.nodejs.org/job/node-test-commit/3738/

Smoke testing @ https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/302/

[rvagg]

two test-stdout-close-catch failures on Windows this time, that's not so great

[saghul]

I don't see how the changes in this release can affect stdout related tests :-( The rwlock related fix looks big but it's not a big deal, and not used for stdio stuff AFAIK.

IMHO this is a low impact update.

Do those tests consistently pass without this patch?

[rvagg]

ran on vanilla v0.10-staging and got a failure of the same test https://ci.nodejs.org/job/node-test-binary-windows/2518/

there's so much flakiness on v0.10 and v0.12 that it's really hard to tell what's a cause for concern and what's not, I'll be glad when we retire all of that at the end of the year.

this update lgtm

[saghul]

Thanks for confirming. I'll wait until wednesday to merge in case someone wants to take a look.

[mhdawson]

I'd still vote for not including in the security release. I think security releases should just be the previous release plus the security changes, at least for the LTS lines.

Is there some reason this fix is important enough to sneak it in ?

[saghul]

@mhdawson This includes a security fix that affects Windows XP. I know, I know.

[rmg]

If one tries hard, you could consider the missing ENFILE mapping a DOS vector since prior to this libuv they were treated as unknown errors. Have to squint and wave your arms, a lot, though.

[rvagg]

We considered this a security issue in the past. See libuv/libuv#515 for the upstream discussion and #2723 where we fixed the bits in Node that used rwlocks and labelled this CVE-2014-9748 (Mitre hasn't processed the memo that it should be public, we're working on that again).

I'm fine with deferring this until the next release of v0.10 if nobody sees any urgency in here (I'm relying on libuv folk here for this assessment, @bnoordhuis, @saghul).

[saghul]

I'd say we include this in tomorrow's release. It's a low risk change which we neglected enough already. To be honest, if this wasn't going on tomorrow's release I would have neglected it even longer.

People running 0.10 are probably not used to many Node updates by now, so immediately queuing up 2 releases sounds pointless to me.

[rvagg]

landed in node-private, will be merged here tomorrow