October 12th 2021 Security Releases:
HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959)
HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
July 2021 Security Releases:
Use after free on close http2 on stream canceling (High) (CVE-2021-22930)
Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Notable Changes:
Diagnostics channel (experimental module)
UUID support in the crypto module
Experimental support for AbortController and AbortSignal
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
upgrade npm to 6.14.6
update openssl to 1.1.1g
Vulnerabilities fixed:
* CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
* CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
* CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Add some new APIs
V8 was updated to 7.8.279.23. This includes performance improvements to object
destructuring, RegExp match failures and WebAssembly startup time.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>