v14.16.1 proposal by MylesBorins · Pull Request #38082 · nodejs/node

MylesBorins · 2021-04-04T19:53:05Z

2021-04-06, Version 14.16.1 'Fermium' (LTS), @MylesBorins

This is a security release.

Notable Changes

Vulnerabilities fixed:

CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
  - All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
  - All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
- This is a vulnerability in the y18n NPM module which may be exploited by prototype pollution. You can read more about it in GHSA-c4w7-xm78-47vh
- Impacts:
  - All versions of the 14.x, 12.x and 10.x releases lines

Commits

[467be7a950] - deps: upgrade npm to 6.14.12 (Ruy Adorno) #37918
[6bc8f58182] - deps: update archs files for OpenSSL-1.1.1k (Tobias Nießen) #37938
[403a014ef6] - deps: upgrade openssl sources to 1.1.1k (Tobias Nießen) #37938

This updates all sources in deps/openssl/openssl by: $ cd deps/openssl/ $ rm -rf openssl $ tar zxf ~/tmp/openssl-1.1.1k.tar.gz $ mv openssl-1.1.1k openssl $ git add --all openssl $ git commit openssl PR-URL: #37938 Refs: #37913 Refs: #37916 Reviewed-By: Jiawen Geng <[email protected]> Reviewed-By: Daniel Bevenius <[email protected]>

After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl/include/crypto/bn_conf.h $ git add deps/openssl/openssl/include/crypto/dso_conf.h $ git add deps/openssl/openssl/include/openssl/opensslconf.h $ git commit PR-URL: #37938 Refs: #37913 Refs: #37916 Reviewed-By: Jiawen Geng <[email protected]> Reviewed-By: Daniel Bevenius <[email protected]>

PR-URL: #37918 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>

nodejs-github-bot · 2021-04-04T19:54:58Z

CI: https://ci.nodejs.org/job/node-test-pull-request/37145/
CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/2662/ ✅
CITGM nobuild v14: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker-nobuild/1071/
Rerun vs2019 CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/2669/
vs2019 v14.16.0: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/2670/

vs2019 has a bunch of failing native modules but it is unrelated to this release (failing on v14.16.0). Otherwise there are no significant differences in the failures on the nobuild job + the full job for v14.16.1

This is a security release. Notable Changes: Vulnerabilities fixed: - **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) - **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High) - **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High) PR-URL: #38082

nodejs-github-bot · 2021-04-05T17:19:33Z

CI: https://ci.nodejs.org/job/node-test-pull-request/37168/

This is a security release. Notable Changes: Vulnerabilities fixed: - **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) - **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High) - **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High) PR-URL: #38082

PR-URL: #38082

This is a security release. Notable Changes: Vulnerabilities fixed: - **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) - **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High) - **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High) PR-URL: #38082

Refs: nodejs/node#38082 Refs: nodejs/node#38083 Refs: nodejs/node#38085

tniessen and others added 3 commits April 4, 2021 15:31

deps: upgrade npm to 6.14.12

467be7a

PR-URL: #37918 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>

nodejs-github-bot added meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. v14.x labels Apr 4, 2021

nodejs deleted a comment from nodejs-github-bot Apr 5, 2021

MylesBorins force-pushed the v14.16.1-proposal branch from 5e6214a to 6703f0e Compare April 5, 2021 17:16

nodejs deleted a comment from nodejs-github-bot Apr 5, 2021

gengjiawen approved these changes Apr 6, 2021

View reviewed changes

BethGriggs approved these changes Apr 6, 2021

View reviewed changes

richardlau approved these changes Apr 6, 2021

View reviewed changes

Comment thread doc/changelogs/CHANGELOG_V14.md Outdated

MylesBorins force-pushed the v14.16.1-proposal branch from 6703f0e to b34a9d7 Compare April 6, 2021 13:28

richardlau approved these changes Apr 6, 2021

View reviewed changes

MylesBorins added a commit that referenced this pull request Apr 6, 2021

Working on v14.16.2

78680c1

PR-URL: #38082

MylesBorins merged commit b34a9d7 into v14.x Apr 6, 2021

MylesBorins deleted the v14.16.1-proposal branch April 6, 2021 20:11

MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021

blog: April 2021 10/12/14 sec releases

9a5c0a0

Refs: nodejs/node#38082 Refs: nodejs/node#38083 Refs: nodejs/node#38085

MylesBorins mentioned this pull request Apr 6, 2021

blog: April 2021 10/12/14 sec releases nodejs/nodejs.org#3791

Merged

MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021

blog: April 2021 10/12/14 sec releases (#3791)

b3635c4

Refs: nodejs/node#38082 Refs: nodejs/node#38083 Refs: nodejs/node#38085

targos added the release Issues and PRs related to Node.js releases. label Apr 11, 2021

targos removed needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. meta Issues and PRs related to the general management of the project. labels Jun 6, 2021

molllyn1 mentioned this pull request Jun 8, 2023

[Snyk] Fix for 4 vulnerabilities molllyn1/node#79

Open

This was referenced Jun 8, 2023

[Snyk] Fix for 4 vulnerabilities kissofire/node#98

Open

[Snyk] Fix for 4 vulnerabilities aliceUnhinged613/node#93

Open

ron-a20 mentioned this pull request Jun 8, 2023

[Snyk] Fix for 4 vulnerabilities ron-a20/node#96

Open

baby636 mentioned this pull request Jun 9, 2023

[Snyk] Fix for 4 vulnerabilities baby636/node#93

Open

137717unity mentioned this pull request Jun 9, 2023

[Snyk] Fix for 4 vulnerabilities 137717unity/node#96

Open

wedataintelligence mentioned this pull request Jun 9, 2023

[Snyk] Fix for 4 vulnerabilities wedataintelligence/node#78

Open

kissofire mentioned this pull request Jun 25, 2023

[Snyk] Fix for 28 vulnerabilities kissofire/node#102

Open

kissofire mentioned this pull request Sep 28, 2023

[Snyk] Fix for 1 vulnerabilities kissofire/node#103

Open

molllyn1 mentioned this pull request Sep 28, 2023

[Snyk] Fix for 1 vulnerabilities molllyn1/node#83

Open

ron-a20 mentioned this pull request Sep 28, 2023

[Snyk] Fix for 1 vulnerabilities ron-a20/node#99

Open

137717unity mentioned this pull request Sep 28, 2023

[Snyk] Fix for 1 vulnerabilities 137717unity/node#100

Open

aliceUnhinged613 mentioned this pull request Sep 28, 2023

[Snyk] Fix for 1 vulnerabilities aliceUnhinged613/node#96

Open

baby636 mentioned this pull request Sep 28, 2023

[Snyk] Fix for 1 vulnerabilities baby636/node#105

Open

wedataintelligence mentioned this pull request Sep 29, 2023

[Snyk] Fix for 1 vulnerabilities wedataintelligence/node#82

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

v14.16.1 proposal#38082

v14.16.1 proposal#38082
MylesBorins merged 4 commits intov14.xfrom
v14.16.1-proposal

MylesBorins commented Apr 4, 2021 •

edited

Loading

Uh oh!

nodejs-github-bot commented Apr 4, 2021 •

edited by MylesBorins

Loading

Uh oh!

nodejs-github-bot commented Apr 5, 2021

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

Uh oh!

Conversation

MylesBorins commented Apr 4, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

2021-04-06, Version 14.16.1 'Fermium' (LTS), @MylesBorins

Notable Changes

Commits

Uh oh!

nodejs-github-bot commented Apr 4, 2021 • edited by MylesBorins Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nodejs-github-bot commented Apr 5, 2021

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

MylesBorins commented Apr 4, 2021 •

edited

Loading

nodejs-github-bot commented Apr 4, 2021 •

edited by MylesBorins

Loading