#15623 closed enhancement (fixed)
node.js-14.18.1
| Reported by: | Bruce Dubbs | Owned by: | |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by ) ¶
New minor version (14.18.0) - now 14.18.1 with security fixes:
(Update 12-Oct-2021) Security releases available
Updates are now available for the v16.x, v14.x, and v12.x Node.js release lines for the following issues.
HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959)
The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2021-22959 after publication.
THe fix for this is included in llhttp v2.1.4 and v6.0.6.
Thanks to Mattias Grenfeldt (https://grenfeldt.dev/) and Asta Olofsson for reporting this vulnerability.
Impacts:
All versions of the 16.x, 14.x, and 12.x releases lines.
HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960)
The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at CVE-2021-22960 after publication.
The fix for this is included in llhttp v2.1.4 and v6.0.6.
Thanks to Mattias Grenfeldt (https://grenfeldt.dev/) and Asta Olofsson for reporting this vulnerability.
Impacts:
All versions of the 16.x, 14.x, and 12.x releases lines.
Change History (3)
comment:1 by , 3 years ago
| Description: | modified (diff) |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
| Summary: | node.js-14.18.0 → node.js-14.18.1 |
comment:2 by , 3 years ago
| Priority: | normal → elevated |
|---|---|
| Resolution: | → fixed |
| Status: | assigned → closed |
comment:3 by , 3 years ago
Major changes:
Notable Changes
[3a60de0135] - assert: change status of legacy asserts (James M Snell) #38113
[df37c106a7] - (SEMVER-MINOR) buffer: introduce Blob (James M Snell) #36811
[223494c548] - (SEMVER-MINOR) buffer: add base64url encoding option (Filip Skokan) #36952
[14fc4ddabc] - (SEMVER-MINOR) child_process: allow options.cwd receive a URL (Khaidi Chu) #38862
[b68b13acb3] - (SEMVER-MINOR) child_process: add timeout to spawn and fork (Nitzan Uziely) #37256
[da98c9f99b] - (SEMVER-MINOR) child_process: allow promisified exec to be cancel (Carlos Fuentes) #34249
[779310ac87] - (SEMVER-MINOR) child_process: add 'overlapped' stdio flag (Thiago Padilha) #29412
[40eb3b79f1] - (SEMVER-MINOR) cli: add -C alias for --conditions flag (Guy Bedford) #38755
[39eba0a2e1] - (SEMVER-MINOR) cli: add --node-memory-debug option (Anna Henningsen) #35537
[d8d9a9628a] - (SEMVER-MINOR) dns: add "tries" option to Resolve options (Luan Devecchi) #39610
[15ba19b020] - (SEMVER-MINOR) dns: allow --dns-result-order to change default dns verbatim (Ouyang Yadong) #38099
[307c1d817f] - doc: refactor fs docs structure (James M Snell) #37170
[9ee3f77e32] - (SEMVER-MINOR) errors: remove experimental from --enable-source-maps (Benjamin Coe) #37362
[e73bfed2f4] - esm: deprecate legacy main lookup for modules (Guy Bedford) #36918
[989c204a58] - (SEMVER-MINOR) fs: allow empty string for temp directory prefix (Voltrex) #39028
[ef72490cde] - (SEMVER-MINOR) fs: allow no-params fsPromises fileHandle read (Nitzan Uziely) #38287
[cad9d20f64] - (SEMVER-MINOR) fs: add support for async iterators to fsPromises.writeFile (HiroyukiYagihashi) #37490
[2b0e2706c0] - fs: improve fsPromises readFile performance (Nitzan Uziely) #37608
[fe12cc07b3] - (SEMVER-MINOR) fs: add fsPromises.watch() (James M Snell) #37179
[2459c115a8] - (SEMVER-MINOR) fs: allow position parameter to be a BigInt in read and readSync (Darshan Sen) #36190
[6544cfb4b9] - (SEMVER-MINOR) http2: add support for sensitive headers (Anna Henningsen) #34145
[a6c6cbb4e6] - (SEMVER-MINOR) http2: allow setting the local window size of a session (Yongsheng Zhang) #35978
[1e5aca550c] - inspector: mark as stable (Gireesh Punathil) #37748
[93af04afbb] - (SEMVER-MINOR) module: add support for URL to import.meta.resolve (Antoine du Hamel) #38587
[f9f9389d83] - (SEMVER-MINOR) module: add support for node:‑prefixed require(…) calls (ExE Boss) #37246
[87c71065eb] - (SEMVER-MINOR) net: introduce net.BlockList (James M Snell) #34625
[b421d99a48] - (SEMVER-MINOR) node-api: allow retrieval of add-on file name (Gabriel Schulhof) #37195
[6a4811df8a] - (SEMVER-MINOR) os: add os.devNull (Luigi Pinca) #38569
[4a88ddeeca] - (SEMVER-MINOR) perf_hooks: introduce createHistogram (James M Snell) #37155
[1a6bf1c4a3] - (SEMVER-MINOR) process: add api to enable source-maps programmatically (legendecas) #39085
[99735a6fe8] - (SEMVER-MINOR) process: add 'worker' event (James M Snell) #38659
[3982919317] - (SEMVER-MINOR) process: add direct access to rss without iterating pages (Adrien Maret) #34291
[526e6c7bde] - (SEMVER-MINOR) readline: add AbortSignal support to interface (Nitzan Uziely) #37932
[e6eee08692] - (SEMVER-MINOR) readline: add support for the AbortController to the question method (Mattias Runge-Broberg) #33676
[32de361d70] - (SEMVER-MINOR) readline: add history event and option to set initial history (Mattias Runge-Broberg) #33662
[797f7f8a38] - (SEMVER-MINOR) repl: add auto‑completion for node:‑prefixed require(…) calls (ExE Boss) #37246
[abfd71b64c] - (SEMVER-MINOR) src: call overload ctor from the original ctor (Darshan Sen) #39768
[1efae01b18] - (SEMVER-MINOR) src: add a constructor overload for CallbackScope (Darshan Sen) #39768
[f7933804ba] - (SEMVER-MINOR) src: allow to negate boolean CLI flags (Michaël Zasso) #39023
[6d06ac2202] - (SEMVER-MINOR) src: add --heapsnapshot-near-heap-limit option (Joyee Cheung) #33010
[577d228ca0] - (SEMVER-MINOR) src: add way to get IsolateData and allocator from Environment (Anna Henningsen) #36441
[658a266cd4] - (SEMVER-MINOR) src: allow preventing SetPrepareStackTraceCallback (Shelley Vohr) #36447
[f421422ea4] - (SEMVER-MINOR) src: add maybe versions of EmitExit and EmitBeforeExit (Anna Henningsen) #35486
[a62d4d60f4] - (SEMVER-MINOR) stream: add readableDidRead if has been read from (Robert Nagy) #39589
[63502131a3] - (SEMVER-MINOR) stream: pipeline accept Buffer as a valid first argument (Nitzan Uziely) #37739
[68bbebd42c] - (SEMVER-MINOR) tls: allow reading data into a static buffer (Andrey Pechkurov) #35753
[1cbb74d63d] - (SEMVER-MINOR) url: expose urlToHttpOptions utility (Yongsheng Zhang) #35960
[8eb11356dd] - (SEMVER-MINOR) util: expose toUSVString (Robert Nagy) #39814
[84fcdc3074] - (SEMVER-MINOR) v8: implement v8.stopCoverage() (Joyee Cheung) #33807
[b238b6bf17] - (SEMVER-MINOR) v8: implement v8.takeCoverage() (Joyee Cheung) #33807
[9f6bc58da8] - (SEMVER-MINOR) worker: add setEnvironmentData/getEnvironmentData (James M Snell) #37486
Note:
See TracTickets
for help on using tickets.
Fixed 4e16af81573b6ed8ea468052f71ff62c5e1dfb61 11.0-96 Security Advisory SA 11.0-014.