PR-URL: nodejs-private/node-private#242

Fixes: #36437

PR-URL: #36479
Backport-PR-URL: #36831
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
Reviewed-By: Yongsheng Zhang <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>

PR-URL: #36633
Backport-PR-URL: #36940
Fixes: #36620
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Danielle Adams <[email protected]>

PR-URL: #36633
Backport-PR-URL: #36940
Fixes: #36620
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Danielle Adams <[email protected]>

PR-URL: #36618
Reviewed-By: Robert Nagy <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>

PR-URL: #37173
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: Beth Griggs <[email protected]>

Signed-off-by: Ruben Bridgewater <[email protected]>

Backport-PR-URL: #37100
PR-URL: #36178
Fixes: #35730
Fixes: #36151
Refs: #35754
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Guy Bedford <[email protected]>
Reviewed-By: James M Snell <[email protected]>

Signed-off-by: Ruben Bridgewater <[email protected]>

Backport-PR-URL: #37100
PR-URL: #36178
Fixes: #35730
Fixes: #36151
Refs: #35754
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Guy Bedford <[email protected]>
Reviewed-By: James M Snell <[email protected]>

Original commit message:

    [wasm] PostMessage of Memory.buffer should throw

    PostMessage of an ArrayBuffer that is not detachable should result
    in a DataCloneError.

    Bug: chromium:1170176, chromium:961059
    Change-Id: Ib89bbc10d2b58918067fd1a90365cad10a0db9ec
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2653810
    Reviewed-by: Adam Klein <[email protected]>
    Reviewed-by: Andreas Haas <[email protected]>
    Commit-Queue: Deepti Gandluri <[email protected]>
    Cr-Commit-Position: refs/heads/master@{#72415}

Refs: v8/v8@dfcf1e8

PR-URL: #37245
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Vladimir de Turckheim <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>

Fixes: #36364

PR-URL: #36410
Reviewed-By: Gerhard Stöbich <[email protected]>
Reviewed-By: Ricky Zhou <[email protected]>

Notable changes:

- **deps**:
  - upgrade npm to 6.14.11 (Ruy Adorno)
    (#37173)
  - V8: backport dfcf1e86fac0 (Michaël Zasso)
    (#37245)
    - Note: Node.js is not believed to be vulnerable to CVE-2021-21148.
- **stream,zlib**: do not use \_stream\_\* anymore (Matteo Collina)
  (#36618)

PR-URL: #37074

PR-URL: #37074

CVE-ID: CVE-2021-22884
Refs: https://hackerone.com/bugs?report_id=1069487
PR-URL: nodejs-private/node-private#244
Reviewed-By: Beth Griggs <[email protected]>
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Mary Marchini <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Rich Trott <[email protected]>

This commit add a configuration options named unknownProtocolTimeout
which can be specified to set a value for the timeout in milliseconds
that a server should wait when an unknowProtocol is sent to it. When
this happens a timer will be started and the if the socket has not been
destroyed during that time the timer callback will destoy it.

Refs: https://hackerone.com/reports/1043360
CVE-ID: CVE-2021-22883
PR-URL: nodejs-private/node-private#246
Backport-PR-URL: nodejs-private/node-private#250
Reviewed-By: Beth Griggs <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>

This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1j.tar.gz
    $ mv openssl-1.1.1j openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #37412
Backport-PR-URL: #37413
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Beth Griggs <[email protected]>

After an OpenSSL source update, all the config files need to be
regenerated and committed by:
    $ make -C deps/openssl/config
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl/include/crypto/bn_conf.h
    $ git add deps/openssl/openssl/include/crypto/dso_conf.h
    $ git add deps/openssl/openssl/include/openssl/opensslconf.h
    $ git commit

PR-URL: #37412
Backport-PR-URL: #37413
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Beth Griggs <[email protected]>

This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
    resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate

PR-URL: nodejs-private/node-private#254