#13102 closed enhancement (fixed)

node.js-12.15.0

Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: high Milestone: 9.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version

Change History (3)

comment:1 by Bruce Dubbs, 18 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 18 months ago

Priority: normalhigh

Release notes are at https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.15.0

Notable:

This is a security release.

Vulnerabilities fixed:

  • CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
  • CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
  • CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the --insecure-http-parser command line flag, or the insecureHTTPParser http option. Using the insecure HTTP parser should be avoided.

comment:3 by Bruce Dubbs, 18 months ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 22633.

Note: See TracTickets for help on using tickets.