Opened 14 months ago

Closed 14 months ago

Last modified 14 months ago

#15330 closed enhancement (fixed)

node.js-14.17.4

Reported by: Bruce Dubbs Owned by: ken@…
Priority: elevated Milestone: 11.0
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (4)

comment:1 by ken@…, 14 months ago

Owner: changed from blfs-book to ken@…
Priority: normalelevated
Status: newassigned

From the oss-security list:

Updates are now available for v16.x, v14.x, and v12.x Node.js release lines.

We normally like to give advance notice and provide releases in which the
only  changes are security fixes, but since this vulnerability was already
public we felt it was more important to get this fix out fast in releases
that were  already planned.

For more information see:
[https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2]

Use after free on close http2 on stream canceling (High) (CVE-2021-22930)

Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930

Thank you to Eran Levin (exx8) for reporting this vulnerability.

Impacts:

All versions of the 16.x, 14.x, and 12.x releases lines

(The CVE currently shows as Reserved)

comment:2 by ken@…, 14 months ago

Fixed in @d63fed6200877253f8ae60d56a71b4b91b5f4ca0 10.1-701 Security Advisory 10.1-084.

comment:3 by ken@…, 14 months ago

Resolution: fixed
Status: assignedclosed

comment:4 by Bruce Dubbs, 14 months ago

Milestone: 10.211.0

Milestone renamed

Note: See TracTickets for help on using tickets.