Opened 4 months ago

Closed 4 months ago

Last modified 4 months ago

#14875 closed enhancement (fixed)

node.js-14.16.1

Reported by: Douglas R. Reno Owned by: ken@…
Priority: high Milestone: 10.2
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

Change History (6)

comment:1 by ken@…, 4 months ago

Owner: changed from blfs-book to ken@…
Status: newassigned

Huh, I thought I'd updated this and accepted it:

https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/

(Update 6-Apr-2021) Security releases available

Updates are now available for v10,x, v12.x, v14.x and v15.x Node.js release lines for the following issues.
OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) (CVE-2021-3450)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

Impacts:

    All versions of the 15.x, 14.x, 12.x and 10.x releases lines

OpenSSL - NULL pointer deref in signature_algorithms processing (High) (CVE-2021-3449)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

Impacts:

    All versions of the 15.x, 14.x, 12.x and 10.x releases lines

npm upgrade - Update y18n to fix Prototype-Pollution (High) (CVE-2020-7774)

This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh

Impacts:

    All versions of the 14.x, 12.x and 10.x releases lines

Downloads and release details

    Node.js v10.24.1 (LTS)
    Node.js v12.22.1 (LTS)
    Node.js v14.16.1 (LTS)
    Node.js v15.14.0 (Current)

comment:2 by ken@…, 4 months ago

Priority: normalhigh

comment:3 by ken@…, 4 months ago

Book updated in r24456.

I'll do the advisory later.

comment:4 by ken@…, 4 months ago

Advisory SA 10.1-025 committed and pushed.

comment:5 by ken@…, 4 months ago

Resolution: fixed
Status: assignedclosed

And checked for valid html

comment:6 by ken@…, 4 months ago

For some reason my SBU on this machine was an outlier - doesn't make a lot of differnece to this package, but my measurements for a bigger package were severely odd. After running a series of remeasuremnts I've now got a more consistent value, so changing the time for this.

Fixed in d281a04ea5d9.

Note: See TracTickets for help on using tickets.