This is a security release.
Notable Changes
Vulnerabilities fixed:
-
CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
- This is a vulnerability in OpenSSL which may be exploited through
Node.js. You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
- This is a vulnerability in OpenSSL which may be exploited through
-
CVE-2020-8265: use-after-free in TLSWrap (High)
- Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller as
part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits.
- Affected Node.js versions are vulnerable to a use-after-free bug in
-
CVE-2020-8287: HTTP Request Smuggling in nodejs (Low)
- Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields. In
this case Node.js identifies the first header field and ignores the
second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
- Affected versions of Node.js allow two copies of a header field in
Commits
- [
305c0f4977] - deps: upgrade npm to 6.14.10 (Ruy Adorno) #36571 - [
d62c650f75] - deps: update archs files for OpenSSL-1.1.1i (Myles Borins) #36521 - [
2de2672eb5] - deps: upgrade openssl sources to 1.1.1i (Myles Borins) #36521 - [
7ecac8143f] - http: add test for http transfer encoding smuggling (Matteo Collina) nodejs-private/node-private#228 - [
641f786bb1] - http: unsetF_CHUNKEDon newTransfer-Encoding(Matteo Collina) nodejs-private/node-private#228 - [
4f8772f9b7] - src: retain pointers to WriteWrap/ShutdownWrap (James M Snell) nodejs-private/node-private#23