Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#13628 closed enhancement (fixed)

node.js-12.18.0

Reported by: Bruce Dubbs Owned by: ken@…
Priority: high Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version.

Change History (9)

comment:1 by Douglas R. Reno, 4 years ago

Priority: normalhigh
2020-06-02, Version 12.18.0 'Erbium' (LTS), @targos
Notable changes

This is a security release.

Vulnerabilities fixed:

    CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
    CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
    CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).

Commits

    [c6d0bdacc4] - crypto: update root certificates (AshCripps) #33682
    [916b2824d1] - (SEMVER-MINOR) deps: update nghttp2 to 1.41.0 (James M Snell) nodejs-private/node-private#206
    [d381426377] - (SEMVER-MINOR) http2: implement support for max settings entries (James M Snell) nodejs-private/node-private#206
    [7dd8982570] - napi: fix memory corruption vulnerability (Tobias Nießen) nodejs-private/node-private#195
    [0932309af2] - tls: emit session after verifying certificate (Fedor Indutny) nodejs-private/node-private#200
    [c392d3923f] - tools: update certdata.txt (AshCripps) #33682

Two high severity vulnerabilities (the TLS session reuse vulnerability is extremely important), and one low security vulnerability.

comment:2 by ken@…, 4 years ago

I wonder if we should move to v14 (14.4.0 in this case, which has the same fixes). I suggested in the past that we should use the active version https://nodejs.org/en/about/releases/ which will be v12 until 20th October but does not support python3. Python3 was added as the default during node v13, but that series was only ever 'current' (development) and is now defunct (last release in April).

v14 is 'current' until October, looks as if moving to it will cause more frequent updates, and perhaps some possible breakage. Dunno if it is right for the book.

in reply to:  2 comment:3 by ken@…, 4 years ago

Replying to ken@…:

I wonder if we should move to v14 (14.4.0 in this case, which has the same fixes). I suggested in the past that we should use the active version https://nodejs.org/en/about/releases/ which will be v12 until 20th October but does not support python3. Python3 was added as the default during node v13, but that series was only ever 'current' (development) and is now defunct (last release in April).

v14 is 'current' until October, looks as if moving to it will cause more frequent updates, and perhaps some possible breakage. Dunno if it is right for the book.

I don't normally install nghttp2 unless I'm editing, so I built and installed 14.4.0 without system nghttp, closed my desktop, fresh instances of browsers, all seems fine. Installed nghttp2. Started to build by the book, quickly failed:

  g++ -o /tmp/node-v14.4.0/out/Release/obj.target/libnode/src/node_i18n.o ../src/node_i18n.cc '-DV8_DEPRECATION_WARNINGS' '-DV8_IMMINENT_DEPRECATION_WARNINGS' '-D__STDC_FORMAT_MACROS' '-DNODE_ARCH="x64"' '-DNODE_PLATFORM="linux"' '-DNODE_WANT_INTERNALS=1' '-DV8_DEPRECATION_WARNINGS=1' '-DNODE_OPENSSL_SYSTEM_CERT_PATH=""' '-DHAVE_INSPECTOR=1' '-DNODE_ENABLE_LARGE_CODE_PAGES=1' '-D__POSIX__' '-DNODE_USE_V8_PLATFORM=1' '-DNODE_HAVE_I18N_SUPPORT=1' '-DHAVE_OPENSSL=1' -I../src -I/tmp/node-v14.4.0/out/Release/obj/gen -I/tmp/node-v14.4.0/out/Release/obj/gen/include -I/tmp/node-v14.4.0/out/Release/obj/gen/src -I../deps/histogram/src -I../deps/uvwasi/include -I../deps/v8/include -I../deps/llhttp/include -I../deps/brotli/c/include  -Wall -Wextra -Wno-unused-parameter -pthread -Wall -Wextra -Wno-unused-parameter -m64 -O3 -fno-omit-frame-pointer -fno-rtti -fno-exceptions -std=gnu++1y -MMD -MF /tmp/node-v14.4.0/out/Release/.deps//tmp/node-v14.4.0/out/Release/obj.target/libnode/src/node_i18n.o.d.raw   -c
../src/node_http2.cc: In constructor ‘node::http2::Http2Options::Http2Options(node::http2::Http2State*, node::http2::SessionType)’:
../src/node_http2.cc:200:5: error: ‘nghttp2_option_set_max_settings’ was not declared in this scope; did you mean ‘nghttp2_session_get_local_settings’?
  200 |     nghttp2_option_set_max_settings(
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |     nghttp2_session_get_local_settings

comment:4 by ken@…, 4 years ago

Owner: changed from blfs-book to ken@…
Status: newassigned

Taking this (for v12.18.0) because of the urgency.

comment:5 by ken@…, 4 years ago

LOL - same thing with 12.18.0, but much later in the build:

  g++ -o /tmp/node-v12.18.0/out/Release/obj.target/libnode/src/node_main_instance.o ../src/node_main_instance.cc '-DV8_DEPRECATION_WARNINGS' '-DV8_IMMINENT_DEPRECATION_WARNINGS' '-D__STDC_FORMAT_MACROS' '-DNODE_ARCH="x64"' '-DNODE_PLATFORM="linux"' '-DNODE_WANT_INTERNALS=1' '-DV8_DEPRECATION_WARNINGS=1' '-DNODE_OPENSSL_SYSTEM_CERT_PATH=""' '-DHAVE_INSPECTOR=1' '-DNODE_ENABLE_LARGE_CODE_PAGES=1' '-D__POSIX__' '-DNODE_USE_V8_PLATFORM=1' '-DNODE_HAVE_I18N_SUPPORT=1' '-DHAVE_OPENSSL=1' '-DHTTP_PARSER_STRICT=0' -I../src -I/tmp/node-v12.18.0/out/Release/obj/gen -I/tmp/node-v12.18.0/out/Release/obj/gen/include -I/tmp/node-v12.18.0/out/Release/obj/gen/src -I../deps/histogram/src -I../deps/uvwasi/include -I../deps/v8/include -I../deps/http_parser -I../deps/llhttp/include -I../deps/brotli/c/include  -Wall -Wextra -Wno-unused-parameter -pthread -Wall -Wextra -Wno-unused-parameter -m64 -O3 -fno-omit-frame-pointer -fno-rtti -fno-exceptions -std=gnu++1y -MMD -MF /tmp/node-v12.18.0/out/Release/.deps//tmp/node-v12.18.0/out/Release/obj.target/libnode/src/node_main_instance.o.d.raw   -c
../src/node_http2.cc: In constructor ‘node::http2::Http2Options::Http2Options(node::Environment*, node::http2::nghttp2_session_type)’:
../src/node_http2.cc:208:5: error: ‘nghttp2_option_set_max_settings’ was not declared in this scope; did you mean ‘nghttp2_session_get_local_settings’?
  208 |     nghttp2_option_set_max_settings(
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |     nghttp2_session_get_local_settings
make[1]: *** [libnode.target.mk:312: /tmp/node-v12.18.0/out/Release/obj.target/libnode/src/node_http2.o] Error 1
make[1]: *** Waiting for unfinished jobs....
rm 73501ab4a15ac1976d85a42d4b1411adf8b5c565.intermediate 7e94f4e661e7e5240dae4678ebaadb5815e77149.intermediate df6f4b4d94ad49be3670a6d94f5b02b2b470dad2.intermediate a4ab6356d5f8872547b211c11ac56c2fa720f99f.intermediate
make: *** [Makefile:101: node] Error 2

Dropping system nghttp2, we can discuss whether we want to move to v14 separately.

comment:7 by ken@…, 4 years ago

Resolution: fixed
Status: assignedclosed

comment:8 by Bruce Dubbs, 4 years ago

Milestone: 9.210,0

Milestone renamed

comment:9 by Bruce Dubbs, 4 years ago

Milestone: 10,010.0

Milestone renamed

Note: See TracTickets for help on using tickets.