Context Navigation

← Previous Ticket
Next Ticket →

#15330 closed enhancement (fixed)

node.js-14.17.4

Reported by:	Bruce Dubbs	Owned by:	ken@…
Priority:	elevated	Milestone:	11.0
Component:	BOOK	Version:	git
Severity:	normal	Keywords:
Cc:

Description ¶

New point version.

Change History (4)

comment:1 by ken@…, 4 years ago

Owner:	changed from blfs-book to ken@…
Priority:	normal → elevated
Status:	new → assigned

From the oss-security list:

Updates are now available for v16.x, v14.x, and v12.x Node.js release lines.

We normally like to give advance notice and provide releases in which the
only  changes are security fixes, but since this vulnerability was already
public we felt it was more important to get this fix out fast in releases
that were  already planned.

For more information see:
[https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2]

Use after free on close http2 on stream canceling (High) (CVE-2021-22930)

Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930

Thank you to Eran Levin (exx8) for reporting this vulnerability.

Impacts:

All versions of the 16.x, 14.x, and 12.x releases lines

(The CVE currently shows as Reserved)

comment:2 by ken@…, 4 years ago

Fixed in @d63fed6200877253f8ae60d56a71b4b91b5f4ca0 10.1-701 Security Advisory 10.1-084.

comment:3 by ken@…, 4 years ago

Resolution:	→ fixed
Status:	assigned → closed

comment:4 by Bruce Dubbs, 4 years ago

Milestone:	10.2 → 11.0

Milestone renamed

Note: See TracTickets for help on using tickets.

Download in other formats: