Possible wrong CVE-2021-22930 reference (should be CVE-2021-22940) in tagged v16.6.2 / v14.17.5 releases

[cfi-gb]

As this is affecting this repository / the tagged releases of this repo i hope this is the correct place to report this problem, if not please let me know where to forward the following below.

On the following tags:

• https://github.com/nodejs/node/releases/tag/v16.6.2
• https://github.com/nodejs/node/releases/tag/v14.17.5

as well as in the related CHANGELOG_v14.md / CHANGELOG_v16.md the following is stated for the mentioned releases:

CVE-2021-22930: Use after free on close http2 on stream canceling (High)

Comparing the releases with the announcement here:

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/

this probably should be the following instead:

CVE-2021-22940 Use after free on close http2 on stream canceling (High)

due to:

The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.

[targos]

@nodejs/security

[mcollina]

The changelog should be updated, @cfi-gb analysis is correct.

cc @nodejs/releasers

[targos]

on it

[targos]

@mcollina CVE-2021-22930 seems still private. Is that expected?

[mcollina]

Not really, I just requested pubblication. it'll be out soon.

[targos]

Changelog fix: #40308
Blog fix: nodejs/nodejs.org#4143