Opened 4 years ago
Last modified 4 years ago
#15623 closed enhancement
node.js-14.18.1 — at Version 1
| Reported by: | Bruce Dubbs | Owned by: | |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by ) ¶
New minor version (14.18.0) - now 14.18.1 with security fixes:
(Update 12-Oct-2021) Security releases available
Updates are now available for the v16.x, v14.x, and v12.x Node.js release lines for the following issues.
HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959)
The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2021-22959 after publication.
THe fix for this is included in llhttp v2.1.4 and v6.0.6.
Thanks to Mattias Grenfeldt (https://grenfeldt.dev/) and Asta Olofsson for reporting this vulnerability.
Impacts:
All versions of the 16.x, 14.x, and 12.x releases lines.
HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960)
The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at CVE-2021-22960 after publication.
The fix for this is included in llhttp v2.1.4 and v6.0.6.
Thanks to Mattias Grenfeldt (https://grenfeldt.dev/) and Asta Olofsson for reporting this vulnerability.
Impacts:
All versions of the 16.x, 14.x, and 12.x releases lines.
Change History (1)
comment:1 by , 4 years ago
| Description: | modified (diff) |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
| Summary: | node.js-14.18.0 → node.js-14.18.1 |
Note:
See TracTickets
for help on using tickets.
