2021-01-04, Version 12.20.1 'Erbium' (LTS), @richardlau
Notable changes
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8265: use-after-free in TLSWrap (High)
Affected Node.js versions are vulnerable to a use-after-free bug in its
TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method does
not return an error, this object is passed back to the caller as part of
a StreamWriteResult structure. This may be exploited to corrupt memory
leading to a Denial of Service or potentially other exploits - CVE-2020-8287: HTTP Request Smuggling in nodejs
Affected versions of Node.js allow two copies of a header field in a
http request. For example, two Transfer-Encoding header fields. In this
case Node.js identifies the first header field and ignores the second.
This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html). - CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
Commits
- [
5de5354918
] - deps: update http-parser to http-parser@ec8b5ee63f (Richard Lau) nodejs-private/node-private#236 - [
2eacfbec68
] - deps: upgrade npm to 6.14.10 (Ruy Adorno) #36571 - [
96ec482d90
] - deps: update archs files for OpenSSL-1.1.1i (Myles Borins) #36521 - [
7ec0eb408b
] - deps: upgrade openssl sources to 1.1.1i (Myles Borins) #36521 - [
76ea9c5a7a
] - deps: upgrade npm to 6.14.9 (Myles Borins) #36450 - [
420244e4d9
] - http: unsetF_CHUNKED
on newTransfer-Encoding
(Matteo Collina) nodejs-private/node-private#236 - [
4a30ac8c75
] - http: add test for http transfer encoding smuggling (Richard Lau) nodejs-private/node-private#236 - [
92d430917a
] - http: unsetF_CHUNKED
on newTransfer-Encoding
(Fedor Indutny) nodejs-private/node-private#236 - [
5b00de7d67
] - src: retain pointers to WriteWrap/ShutdownWrap (James M Snell) nodejs-private/node-private#230