Notable changes
This is a security release.
Vulnerabilities fixed:
-
CVE-2020-8265: use-after-free in TLSWrap (High)
Affected Node.js versions are vulnerable to a use-after-free bug in its
TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method does
not return an error, this object is passed back to the caller as part of
a StreamWriteResult structure. This may be exploited to corrupt memory
leading to a Denial of Service or potentially other exploits -
CVE-2020-8287: HTTP Request Smuggling in nodejs
Affected versions of Node.js allow two copies of a header field in a
http request. For example, two Transfer-Encoding header fields. In this
case Node.js identifies the first header field and ignores the second.
This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html). -
CVE-2020-1971: OpenSSL – EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
Commits
- [
] – build,win: accept Python 3 if 2 is not available (João Reis) #292361bd44b0ee7f
- [
] – build,win: find Python in paths with spaces (João Reis) #292361d5c9b09bdc
- [
] – deps: update http-parser to http-parser@ec8b5ee63f (Richard Lau) nodejs-private/node-private#2351323a6f114a
- [
] – deps: upgrade npm to 6.14.10 (Ruy Adorno) #365711f08d0fef64
- [
] – deps: update archs files for OpenSSL-1.1.1i (Richard Lau) #365411b0608b574a
- [
] – deps: upgrade openssl sources to 1.1.1i (Myles Borins) #365411d936e1833f
- [
] – deps: upgrade npm to 6.14.9 (Myles Borins) #3645019c4970715c
- [
] – http: add test for http transfer encoding smuggling (Richard Lau) nodejs-private/node-private#2351aa6b97fb99
- [
] – http: unset1fc70ce08f51F_CHUNKED
on new
1Transfer-Encoding(Fedor Indutny) nodejs-private/node-private#235
- [
] – src: use unique_ptr for WriteWrap (Daniel Bevenius) nodejs-private/node-private#23817f178663eb
- [
] – test: add test-tls-use-after-free-regression (Daniel Bevenius) nodejs-private/node-private#2381357e2857c8
Windows 32-bit Installer: https://nodejs.org/dist/v10.23.1/node-v10.23.1-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v10.23.1/node-v10.23.1-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v10.23.1/win-x86/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v10.23.1/win-x64/node.exe
macOS 64-bit Installer: https://nodejs.org/dist/v10.23.1/node-v10.23.1.pkg
macOS 64-bit Binary: https://nodejs.org/dist/v10.23.1/node-v10.23.1-darwin-x64.tar.gz
Linux 64-bit Binary: https://nodejs.org/dist/v10.23.1/node-v10.23.1-linux-x64.tar.xz
Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v10.23.1/node-v10.23.1-linux-ppc64le.tar.xz
Linux s390x 64-bit Binary: https://nodejs.org/dist/v10.23.1/node-v10.23.1-linux-s390x.tar.xz
AIX 64-bit Binary: https://nodejs.org/dist/v10.23.1/node-v10.23.1-aix-ppc64.tar.gz
SmartOS 64-bit Binary: https://nodejs.org/dist/v10.23.1/node-v10.23.1-sunos-x64.tar.xz
ARMv6 32-bit Binary: https://nodejs.org/dist/v10.23.1/node-v10.23.1-linux-armv6l.tar.xz
ARMv7 32-bit Binary: https://nodejs.org/dist/v10.23.1/node-v10.23.1-linux-armv7l.tar.xz
ARMv8 64-bit Binary: https://nodejs.org/dist/v10.23.1/node-v10.23.1-linux-arm64.tar.xz
Source Code: https://nodejs.org/dist/v10.23.1/node-v10.23.1.tar.gz
Other release files: https://nodejs.org/dist/v10.23.1/
Documentation: https://nodejs.org/docs/v10.23.1/api/
SHASUMS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
33bf67ad4a5843b0c1a5a9f3800ccbe1f30b068889177049bd6faca4a843c64a node-v10.23.1-aix-ppc64.tar.gz
07da39e4c122d1cee744f3a3ace904edf23c3256879adedafcca6a1da4ca4681 node-v10.23.1-darwin-x64.tar.gz
febfdabd98ab5b8f8fdff32ab8c111d834083805bf042ab65c923cc22609c99d node-v10.23.1-darwin-x64.tar.xz
a877aa44822994b21312a054e05db8a7784391acffd1c1fc85291a014e129c76 node-v10.23.1-headers.tar.gz
d2492742a95a74f2bada841203e9390831c37bfec7580cf0605cab3f521f7bae node-v10.23.1-headers.tar.xz
e7d0476b1e9add7b21297698517356bb7c7d7f10e75f5abad6ab5806518a6cd6 node-v10.23.1-linux-arm64.tar.gz
9b923a161d80d2802241538c8f2099705163fc7f0dcd886d2274d8d6adf4f58f node-v10.23.1-linux-arm64.tar.xz
75f04c8c26b83afe40eb1de97a04efca1adf1dd2ad1b887bed297888d7760aaf node-v10.23.1-linux-armv6l.tar.gz
5f77882103c03e6a486bd11a7218ef6ae9a720172f9369a4a3fa4c5fa21d653b node-v10.23.1-linux-armv6l.tar.xz
8f965f2757efcf3077d655bfcea36f7a29c58958355e0eb23cfb725740c3ccbe node-v10.23.1-linux-armv7l.tar.gz
a26aa4d9b2ac37c49d3f7c6198502faee3806f6386559aeabc8ac1bf02f99b59 node-v10.23.1-linux-armv7l.tar.xz
46e590ecef7bfa76e2de1f57e0a1b0b0df2bd0142a25e2329ccfbd9fc33e7cc8 node-v10.23.1-linux-ppc64le.tar.gz
4390158e7230be4968dafe94524a8c7fb65b7c622753146d4238306a5733340d node-v10.23.1-linux-ppc64le.tar.xz
7b51c8bc1d15fac73245685437079ca6952c38560d94732630645a61303d6b47 node-v10.23.1-linux-s390x.tar.gz
615962749dfe497d455426bc3097978b0504e0988e8bd198c0d202896056c245 node-v10.23.1-linux-s390x.tar.xz
2a5f9d862468a4c677630923531e52339526cfd075cc6df30da4636782eb7bda node-v10.23.1-linux-x64.tar.gz
207e5ec77ca655ba6fcde922d6b329acbb09898b0bd793ccfcce6c27a36fdff0 node-v10.23.1-linux-x64.tar.xz
8e963dd9cba374d610c33609faa36f37589e315e97b855c6aeccf02844d194f8 node-v10.23.1.pkg
5c6e8f40b3d36d59035d998bbcaffbd9a326efa57c15c32941c23529f1a2da6c node-v10.23.1-sunos-x64.tar.gz
776c17af00d8a758f0fd41b00cd1f173a1f8787e5f850d1c7fe0a515655dfffc node-v10.23.1-sunos-x64.tar.xz
a5348b5dfdbe32e0be2837576e66ac285a59907e11e5439fbcda25e70f52550d node-v10.23.1.tar.gz
88aa16f5af79615b183ca55ed81393763169e75d1fb96013cf1831895c6cedfa node-v10.23.1.tar.xz
b4808da108c43de909bc704ce6ef4bba6b9c1f054879253b9810d078c6e70764 node-v10.23.1-win-x64.7z
497996aa1037b6f7f492c1d275bb90140269223939525286b4e95babad16f0de node-v10.23.1-win-x64.zip
9d4c520003d3aa151a53b43289a51bfb2f7af93b7f011dadccd9a1619b3e2510 node-v10.23.1-win-x86.7z
c3be0fd50c218cc52e85377c9e22d7d2110d72de95bdbc9447145b246330f818 node-v10.23.1-win-x86.zip
4495bdc0646cc535f5d5ad5ca52bb18302cda8d4da950bdecf3043f7d28d7cef node-v10.23.1-x64.msi
ddc19192781e1b3aebfaee894ccba624c923b2691509b1883bb2a54d0bc396f1 node-v10.23.1-x86.msi
82e2bab0e8c9d16324de69e5f1cfcd46ab1b2db272c6d204fe09d2f5509a9c08 win-x64/node.exe
fe8c3392fafc6a09f59f9d9a2c6dbf922fcde9d072e1abb52df3b0eb09dd27c9 win-x64/node.lib
50cff21434ccb4628e53033167e822021fd0c5fe42d98e1322405179708f8508 win-x64/node_pdb.7z
8ff935da1e63c3a3137f7ff80c67cb8395e42d5c8c1b6209e6c5ce0e7b076409 win-x64/node_pdb.zip
5d2f4b8c34fdc1398b1cda50db5b518e4c42616b9ffc9b05d985e5fabb1f47eb win-x86/node.exe
2cd7d4a696cd539b4592af0a245db1a8235f2c20e30ae0fa2921d8a130933d8a win-x86/node.lib
8db9406024e50a833fe31e2805e31834183a18bcded7637721d559b444434779 win-x86/node_pdb.7z
5025c6f535d025d5fde0e64b55199c924300e78da7b665030cdd6948d522e4c1 win-x86/node_pdb.zip
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEyC+jrhy+3Gvka5NgxDzsRcF6uTwFAl/zWpUACgkQxDzsRcF6
uTwdTw//XCxqbJH/uzqUGNkl09ZpNbAXPBksX+UifPvtAxdN0S5N710Mxmo584MZ
Go7k/EgH6zdoO6s6nehtfQNnjuq2sfUuYD7T6ZzQWfwe7VZt43rkTRHq0Wj+VveX
MulN9R8J4T6dHb0KvaqHAdiWs3HkOH9XkdjhOoRLVEJ1aOn7JNztmg0LA+mCdbSP
A0JW+M0WY1Q3qyjGesSTj9YJ+jts0AgAzSbMUBFNETPXqIHjljN0nX2+SCq/CXeM
lcje2mbxe+DeKZ0s4fMHAvmsLXKq+hntqWxhtJ2Rp79wVWZGKV7XrTQPhtShfruK
K+v/mywfNLTxUjI419q7Pn/iXUbPb3UnAhEhoj1m9OEJU3tfw9up4DF3Fzupxc2w
y68TfG6JQXPq3X4LTMUwa4Hj0HRWMdE2fYAzHQFWgAfI+jLD+7IdBSkoyANccG40
tHqajytGJIMAbYU0m+B23aySjSkfai7Dy3GjThqaWvy+jmPLpFtSJ/74hyc/Wp2f
/aYuzbKb6cPCAg0OSLaScQpo0HqjsE8Kbsbt/RFHEEAcXBnTMaa98SgbjTDJgjaa
NipIayFSBALUJEWQNYcNIltMgBnpV2Rzh2U2imXuxZLjk+P1Do5/zXTED4E+lU6Q
KvSBzQPrbaXH0rgfSwcl7p7S6ntzZ+jUPXd7HAQrSvDMlZ0xelo=
=TVIl
-----END PGP SIGNATURE-----
0 Comments