Change History (9)
comment:1 by , 5 years ago
| Priority: | normal → high |
|---|
follow-up: 3 comment:2 by , 5 years ago
I wonder if we should move to v14 (14.4.0 in this case, which has the same fixes). I suggested in the past that we should use the active version https://nodejs.org/en/about/releases/ which will be v12 until 20th October but does not support python3. Python3 was added as the default during node v13, but that series was only ever 'current' (development) and is now defunct (last release in April).
v14 is 'current' until October, looks as if moving to it will cause more frequent updates, and perhaps some possible breakage. Dunno if it is right for the book.
comment:3 by , 5 years ago
Replying to ken@…:
I wonder if we should move to v14 (14.4.0 in this case, which has the same fixes). I suggested in the past that we should use the active version https://nodejs.org/en/about/releases/ which will be v12 until 20th October but does not support python3. Python3 was added as the default during node v13, but that series was only ever 'current' (development) and is now defunct (last release in April).
v14 is 'current' until October, looks as if moving to it will cause more frequent updates, and perhaps some possible breakage. Dunno if it is right for the book.
I don't normally install nghttp2 unless I'm editing, so I built and installed 14.4.0 without system nghttp, closed my desktop, fresh instances of browsers, all seems fine. Installed nghttp2. Started to build by the book, quickly failed:
g++ -o /tmp/node-v14.4.0/out/Release/obj.target/libnode/src/node_i18n.o ../src/node_i18n.cc '-DV8_DEPRECATION_WARNINGS' '-DV8_IMMINENT_DEPRECATION_WARNINGS' '-D__STDC_FORMAT_MACROS' '-DNODE_ARCH="x64"' '-DNODE_PLATFORM="linux"' '-DNODE_WANT_INTERNALS=1' '-DV8_DEPRECATION_WARNINGS=1' '-DNODE_OPENSSL_SYSTEM_CERT_PATH=""' '-DHAVE_INSPECTOR=1' '-DNODE_ENABLE_LARGE_CODE_PAGES=1' '-D__POSIX__' '-DNODE_USE_V8_PLATFORM=1' '-DNODE_HAVE_I18N_SUPPORT=1' '-DHAVE_OPENSSL=1' -I../src -I/tmp/node-v14.4.0/out/Release/obj/gen -I/tmp/node-v14.4.0/out/Release/obj/gen/include -I/tmp/node-v14.4.0/out/Release/obj/gen/src -I../deps/histogram/src -I../deps/uvwasi/include -I../deps/v8/include -I../deps/llhttp/include -I../deps/brotli/c/include -Wall -Wextra -Wno-unused-parameter -pthread -Wall -Wextra -Wno-unused-parameter -m64 -O3 -fno-omit-frame-pointer -fno-rtti -fno-exceptions -std=gnu++1y -MMD -MF /tmp/node-v14.4.0/out/Release/.deps//tmp/node-v14.4.0/out/Release/obj.target/libnode/src/node_i18n.o.d.raw -c
../src/node_http2.cc: In constructor ‘node::http2::Http2Options::Http2Options(node::http2::Http2State*, node::http2::SessionType)’:
../src/node_http2.cc:200:5: error: ‘nghttp2_option_set_max_settings’ was not declared in this scope; did you mean ‘nghttp2_session_get_local_settings’?
200 | nghttp2_option_set_max_settings(
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| nghttp2_session_get_local_settings
comment:4 by , 5 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
Taking this (for v12.18.0) because of the urgency.
comment:5 by , 5 years ago
LOL - same thing with 12.18.0, but much later in the build:
g++ -o /tmp/node-v12.18.0/out/Release/obj.target/libnode/src/node_main_instance.o ../src/node_main_instance.cc '-DV8_DEPRECATION_WARNINGS' '-DV8_IMMINENT_DEPRECATION_WARNINGS' '-D__STDC_FORMAT_MACROS' '-DNODE_ARCH="x64"' '-DNODE_PLATFORM="linux"' '-DNODE_WANT_INTERNALS=1' '-DV8_DEPRECATION_WARNINGS=1' '-DNODE_OPENSSL_SYSTEM_CERT_PATH=""' '-DHAVE_INSPECTOR=1' '-DNODE_ENABLE_LARGE_CODE_PAGES=1' '-D__POSIX__' '-DNODE_USE_V8_PLATFORM=1' '-DNODE_HAVE_I18N_SUPPORT=1' '-DHAVE_OPENSSL=1' '-DHTTP_PARSER_STRICT=0' -I../src -I/tmp/node-v12.18.0/out/Release/obj/gen -I/tmp/node-v12.18.0/out/Release/obj/gen/include -I/tmp/node-v12.18.0/out/Release/obj/gen/src -I../deps/histogram/src -I../deps/uvwasi/include -I../deps/v8/include -I../deps/http_parser -I../deps/llhttp/include -I../deps/brotli/c/include -Wall -Wextra -Wno-unused-parameter -pthread -Wall -Wextra -Wno-unused-parameter -m64 -O3 -fno-omit-frame-pointer -fno-rtti -fno-exceptions -std=gnu++1y -MMD -MF /tmp/node-v12.18.0/out/Release/.deps//tmp/node-v12.18.0/out/Release/obj.target/libnode/src/node_main_instance.o.d.raw -c
../src/node_http2.cc: In constructor ‘node::http2::Http2Options::Http2Options(node::Environment*, node::http2::nghttp2_session_type)’:
../src/node_http2.cc:208:5: error: ‘nghttp2_option_set_max_settings’ was not declared in this scope; did you mean ‘nghttp2_session_get_local_settings’?
208 | nghttp2_option_set_max_settings(
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| nghttp2_session_get_local_settings
make[1]: *** [libnode.target.mk:312: /tmp/node-v12.18.0/out/Release/obj.target/libnode/src/node_http2.o] Error 1
make[1]: *** Waiting for unfinished jobs....
rm 73501ab4a15ac1976d85a42d4b1411adf8b5c565.intermediate 7e94f4e661e7e5240dae4678ebaadb5815e77149.intermediate df6f4b4d94ad49be3670a6d94f5b02b2b470dad2.intermediate a4ab6356d5f8872547b211c11ac56c2fa720f99f.intermediate
make: *** [Makefile:101: node] Error 2
Dropping system nghttp2, we can discuss whether we want to move to v14 separately.
comment:7 by , 5 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
2020-06-02, Version 12.18.0 'Erbium' (LTS), @targos Notable changes This is a security release. Vulnerabilities fixed: CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High). CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low). CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High). Commits [c6d0bdacc4] - crypto: update root certificates (AshCripps) #33682 [916b2824d1] - (SEMVER-MINOR) deps: update nghttp2 to 1.41.0 (James M Snell) nodejs-private/node-private#206 [d381426377] - (SEMVER-MINOR) http2: implement support for max settings entries (James M Snell) nodejs-private/node-private#206 [7dd8982570] - napi: fix memory corruption vulnerability (Tobias Nießen) nodejs-private/node-private#195 [0932309af2] - tls: emit session after verifying certificate (Fedor Indutny) nodejs-private/node-private#200 [c392d3923f] - tools: update certdata.txt (AshCripps) #33682Two high severity vulnerabilities (the TLS session reuse vulnerability is extremely important), and one low security vulnerability.