2021-01-04, Version 15.5.1 (Current), @BethGriggs
v15.5.1
BethGriggs
Bethany Griggs
This tag was signed with the committer’s verified signature.
BethGriggs
Bethany Griggs
39fee5d
This commit was signed with the committer’s verified signature.
BethGriggs
Bethany Griggs
This is a security release.
Notable changes
Vulnerabilities fixed:
-
CVE-2020-8265: use-after-free in TLSWrap (High)
- Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller as
part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits.
- Affected Node.js versions are vulnerable to a use-after-free bug in
-
CVE-2020-8287: HTTP Request Smuggling in nodejs (Low)
- Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields. In
this case Node.js identifies the first header field and ignores the
second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
- Affected versions of Node.js allow two copies of a header field in
Commits
- [
c5dbe831b7] - http: add test for http transfer encoding smuggling (Matteo Collina) nodejs-private/node-private#228 - [
e0c9a2285c] - http: unsetF_CHUNKEDon newTransfer-Encoding(Matteo Collina) nodejs-private/node-private#228 - [
9834ef85a0] - src: retain pointers to WriteWrap/ShutdownWrap (James M Snell) nodejs-private/node-private#23