Skip to content

v10.24.1 proposal#38085

Merged
MylesBorins merged 4 commits intov10.xfrom
v10.24.1-proposal
Apr 6, 2021
Merged

v10.24.1 proposal#38085
MylesBorins merged 4 commits intov10.xfrom
v10.24.1-proposal

Conversation

@MylesBorins
Copy link
Contributor

@MylesBorins MylesBorins commented Apr 4, 2021
edited
Loading

2021-04-06, Version 10.24.1 'Dubnium' (LTS), @MylesBorins

This is a security release

Notable Changes

Vulerabilties fixed:

  • CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
  • CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
  • CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
    • This is a vulnerability in the y18n NPM module which may be exploited by prototype pollution. You can read more about it in GHSA-c4w7-xm78-47vh
    • Impacts:
      • All versions of the 14.x, 12.x and 10.x releases lines

Commits

tniessen and others added 3 commits April 4, 2021 16:07
@tniessen @MylesBorins
deps: upgrade openssl sources to 1.1.1k
5db0a05 
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1k.tar.gz
    $ mv openssl-1.1.1k openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #37940
Refs: #37913
Refs: #37916
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@tniessen @MylesBorins
deps: update archs files for OpenSSL-1.1.1k
781cb6d 
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
   $ make -C deps/openssl/config
   $ git add deps/openssl/config/archs
   $ git add deps/openssl/openssl/include/crypto/bn_conf.h
   $ git add deps/openssl/openssl/include/crypto/dso_conf.h
   $ git add deps/openssl/openssl/include/openssl/opensslconf.h
   $ git commit

PR-URL: #37940
Refs: #37913
Refs: #37916
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@ruyadorno @MylesBorins
deps: upgrade npm to 6.14.12
5e526b9 
PR-URL: #37918
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
@nodejs-github-bot nodejs-github-bot added meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. v10.x labels Apr 4, 2021
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Apr 4, 2021
edited by MylesBorins
Loading

CI: https://ci.nodejs.org/job/node-test-pull-request/37148/
CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/2665/ ✅ no new failures. Differences between platforms appear to be flakes
CITGM v10 nobuild: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker-nobuild/1070/

MylesBorins added a commit that referenced this pull request Apr 5, 2021
@MylesBorins
2021-04-06, Version 10.24.1 'Dubnium' (LTS)
4736874 
This is a security release

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38085
BethGriggs
BethGriggs reviewed Apr 6, 2021
View reviewed changes
Copy link
Member

@BethGriggs BethGriggs left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does This is a security release need to be This is a security release. to match the regex in https://github.com/nodejs/nodejs-dist-indexer/blob/master/is-security-release.js#L2?

(apologies for the painful nit!)

richardlau
richardlau reviewed Apr 6, 2021
View reviewed changes
MylesBorins added a commit that referenced this pull request Apr 6, 2021
@MylesBorins
2021-04-06, Version 10.24.1 'Dubnium' (LTS)
bc166e4 
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38085
@MylesBorins
2021-04-06, Version 10.24.1 'Dubnium' (LTS)
5182a7e 
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38085
MylesBorins added a commit that referenced this pull request Apr 6, 2021
@MylesBorins
Working on v10.24.2
19f3e17 
PR-URL: #38085
@MylesBorins MylesBorins merged commit 5182a7e into v10.x Apr 6, 2021
MylesBorins added a commit that referenced this pull request Apr 6, 2021
@MylesBorins
2021-04-06, Version 10.24.1 'Dubnium' (LTS)
cd15b1c 
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38085
@MylesBorins MylesBorins deleted the v10.24.1-proposal branch April 6, 2021 20:11
MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021
@MylesBorins
blog: April 2021 10/12/14 sec releases
9a5c0a0 
Refs: nodejs/node#38082
Refs: nodejs/node#38083
Refs: nodejs/node#38085
@MylesBorins MylesBorins mentioned this pull request Apr 6, 2021
Merged
MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021
@MylesBorins
blog: April 2021 10/12/14 sec releases (#3791)
b3635c4 
Refs: nodejs/node#38082
Refs: nodejs/node#38083
Refs: nodejs/node#38085
@targos targos added the release Issues and PRs related to Node.js releases. label Apr 11, 2021
@targos targos removed meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. labels Jun 6, 2021
@molllyn1 molllyn1 mentioned this pull request Jun 8, 2023
Open
This was referenced Jun 8, 2023
Open
Open
@ron-a20 ron-a20 mentioned this pull request Jun 8, 2023
Open
@baby636 baby636 mentioned this pull request Jun 9, 2023
Open
@137717unity 137717unity mentioned this pull request Jun 9, 2023
Open
@wedataintelligence wedataintelligence mentioned this pull request Jun 9, 2023
Open
@kissofire kissofire mentioned this pull request Jun 25, 2023
Open
@kissofire kissofire mentioned this pull request Sep 28, 2023
Open
@molllyn1 molllyn1 mentioned this pull request Sep 28, 2023
Open
@ron-a20 ron-a20 mentioned this pull request Sep 28, 2023
Open
@137717unity 137717unity mentioned this pull request Sep 28, 2023
Open
@aliceUnhinged613 aliceUnhinged613 mentioned this pull request Sep 28, 2023
Open
@baby636 baby636 mentioned this pull request Sep 28, 2023
Open
@wedataintelligence wedataintelligence mentioned this pull request Sep 29, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@richardlau richardlau richardlau approved these changes

@BethGriggs BethGriggs BethGriggs approved these changes

Assignees

No one assigned

Labels

release Issues and PRs related to Node.js releases.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@MylesBorins @nodejs-github-bot @richardlau @BethGriggs @targos @tniessen @ruyadorno