Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
2021-01-04, Version 14.15.4 'Fermium' (LTS)
This is a security release. Notable changes: Vulnerabilities fixed: - **CVE-2020-1971**: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt - **CVE-2020-8265**: use-after-free in TLSWrap (High) - Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits. - **CVE-2020-8287**: HTTP Request Smuggling in nodejs (Low) - Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html). PR-URL: nodejs-private/node-private#242
- Loading branch information