2020-02-06, Version 10.19.0 'Dubnium' (LTS)

This is a security release. Vulnerabilities fixed: * **CVE-2019-15606**: HTTP header values do not have trailing OWS trimmed. * **CVE-2019-15605**: HTTP request smuggling using malformed Transfer-Encoding header. * **CVE-2019-15604**: Remotely trigger an assertion on a TLS server with a malformed certificate string. Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the `--insecure-http-parser` command line flag, or the `insecureHTTPParser` http option. Using the insecure HTTP parser should be avoided. PR-URL: nodejs-private/node-private#198
nodejs · Feb 5, 2020 · 5ba7df3 · 5ba7df3
1 parent e2c8f89
commit 5ba7df3
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -33,7 +33,8 @@ release.
 <a href="doc/changelogs/CHANGELOG_V12.md#12.0.0">12.0.0</a><br/>
     </td>
     <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V10.md#10.18.1">10.18.1</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V10.md#10.19.0">10.19.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V10.md#10.18.1">10.18.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V10.md#10.18.0">10.18.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V10.md#10.17.0">10.17.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V10.md#10.16.3">10.16.3</a><br/>

diff --git a/doc/api/cli.md b/doc/api/cli.md
@@ -183,7 +183,7 @@ Specify the `file` of the custom [experimental ECMAScript Module][] loader.
 
 ### `--insecure-http-parser`
 <!-- YAML
-added: REPLACEME
+added: v10.19.0
 -->
 
 Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow

diff --git a/doc/api/http.md b/doc/api/http.md
@@ -1830,7 +1830,7 @@ Found'`.
 <!-- YAML
 added: v0.1.13
 changes:
-  - version: REPLACEME
+  - version: v10.19.0
     pr-url: https://github.com/nodejs/node/pull/31448
     description: The `insecureHTTPParser` option is supported now.
   - version: v9.6.0, v8.12.0
@@ -1950,7 +1950,7 @@ Defaults to 8KB. Configurable using the [`--max-http-header-size`][] CLI option.
 <!-- YAML
 added: v0.3.6
 changes:
-  - version: REPLACEME
+  - version: v10.19.0
     pr-url: https://github.com/nodejs/node/pull/31448
     description: The `insecureHTTPParser` option is supported now.
   - version: v10.9.0

diff --git a/doc/changelogs/CHANGELOG_V10.md b/doc/changelogs/CHANGELOG_V10.md
@@ -10,6 +10,7 @@
 </tr>
 <tr>
 <td valign="top">
+<a href="#10.19.0">10.19.0</a><br/>
 <a href="#10.18.1">10.18.1</a><br/>
 <a href="#10.18.0">10.18.0</a><br/>
 <a href="#10.17.0">10.17.0</a><br/>
@@ -58,6 +59,35 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="10.19.0"></a>
+## 2020-02-06, Version 10.19.0 'Dubnium' (LTS), @BethGriggs
+
+### Notable changes
+
+This is a security release.
+
+Vulnerabilities fixed:
+* **CVE-2019-15606**: HTTP header values do not have trailing OWS trimmed.
+* **CVE-2019-15605**: HTTP request smuggling using malformed Transfer-Encoding header.
+* **CVE-2019-15604**: Remotely trigger an assertion on a TLS server with a malformed certificate string.
+
+Also, HTTP parsing is more strict to be more secure. Since this may
+cause problems in interoperability with some non-conformant HTTP
+implementations, it is possible to disable the strict checks with the
+`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
+http option. Using the insecure HTTP parser should be avoided.
+
+### Commits
+
+* [[`f940bee3b7`](https://github.com/nodejs/node/commit/f940bee3b7)] - **crypto**: fix assertion caused by unsupported ext (Fedor Indutny) [nodejs-private/node-private#175](https://github.com/nodejs-private/node-private/pull/175)
+* [[`49f4220ce5`](https://github.com/nodejs/node/commit/49f4220ce5)] - **deps**: upgrade http-parser to v2.9.3 (Sam Roberts) [nodejs-private/http-parser-private#4](https://github.com/nodejs-private/http-parser-private/pull/4)
+* [[`a28e5cc1ed`](https://github.com/nodejs/node/commit/a28e5cc1ed)] - **(SEMVER-MINOR)** **deps**: upgrade http-parser to v2.9.1 (Sam Roberts) [#30471](https://github.com/nodejs/node/pull/30471)
+* [[`0082f62d9c`](https://github.com/nodejs/node/commit/0082f62d9c)] - **(SEMVER-MINOR)** **http**: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) [#31448](https://github.com/nodejs/node/pull/31448)
+* [[`a9849c0ff6`](https://github.com/nodejs/node/commit/a9849c0ff6)] - **(SEMVER-MINOR)** **http**: opt-in insecure HTTP header parsing (Sam Roberts) [#30567](https://github.com/nodejs/node/pull/30567)
+* [[`2eee90e959`](https://github.com/nodejs/node/commit/2eee90e959)] - **http**: strip trailing OWS from header values (Sam Roberts) [nodejs-private/node-private#191](https://github.com/nodejs-private/node-private/pull/191)
+* [[`e2c8f89b75`](https://github.com/nodejs/node/commit/e2c8f89b75)] - **test**: using TE to smuggle reqs is not possible (Sam Roberts) [nodejs-private/node-private#192](https://github.com/nodejs-private/node-private/pull/192)
+* [[`d616722f65`](https://github.com/nodejs/node/commit/d616722f65)] - **test**: check that --insecure-http-parser works (Sam Roberts) [#31253](https://github.com/nodejs/node/pull/31253)
+
 <a id="10.18.1"></a>
 ## 2020-01-09, Version 10.18.1 'Dubnium' (LTS), @BethGriggs
 

diff --git a/src/node_version.h b/src/node_version.h
@@ -23,13 +23,13 @@
 #define SRC_NODE_VERSION_H_
 
 #define NODE_MAJOR_VERSION 10
-#define NODE_MINOR_VERSION 18
-#define NODE_PATCH_VERSION 2
+#define NODE_MINOR_VERSION 19
+#define NODE_PATCH_VERSION 0
 
 #define NODE_VERSION_IS_LTS 1
 #define NODE_VERSION_LTS_CODENAME "Dubnium"
 
-#define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_RELEASE 1
 
 #ifndef NODE_STRINGIFY
 #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)