After an OpenSSL source update, all the config files need to be
regenerated and committed by:
$ make -C deps/openssl/config
$ git add deps/openssl/config/archs
$ git add deps/openssl/openssl/include/crypto/bn_conf.h
$ git add deps/openssl/openssl/include/crypto/dso_conf.h
$ git add deps/openssl/openssl/include/openssl/opensslconf.h
$ git commit
PR-URL: https://github.com/nodejs/node/pull/37940
Refs: https://github.com/nodejs/node/issues/37913
Refs: https://github.com/nodejs/node/pull/37916
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
This is a security release.
Notable changes
Vulnerabilities fixed:
- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate
PR-URL: https://github.com/nodejs-private/node-private/pull/255
This commit add a configuration options named unknownProtocolTimeout
which can be specified to set a value for the timeout in milliseconds
that a server should wait when an unknowProtocol is sent to it. When
this happens a timer will be started and the if the socket has not been
destroyed during that time the timer callback will destoy it.
CVE-ID: CVE-2021-22883
Refs: https://hackerone.com/reports/1043360
PR-URL: https://github.com/nodejs-private/node-private/pull/246
Backport PR-URL: https://github.com/nodejs-private/node-private/pull/248
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
$ make -C deps/openssl/config
$ git add deps/openssl/config/archs
$ git add deps/openssl/openssl/include/crypto/bn_conf.h
$ git add deps/openssl/openssl/include/crypto/dso_conf.h
$ git add deps/openssl/openssl/include/openssl/opensslconf.h
$ git commit
PR-URL: https://github.com/nodejs/node/pull/37415
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
This test fails prior to 990feafcb6 being cherry-picked
due to stream.pipeline with a crypto.Hash not working properly.
That bug also seems to have affected md5.
PR-URL: https://github.com/nodejs/node/pull/37009
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
When piping data into an SHA3 hash, EVP_DigestFinal_ex is called in
hash._flush, bypassing safeguards in the JavaScript layer. Calling
hash.digest causes EVP_DigestFinal_ex to be called again, resulting
in a segmentation fault in the SHA3 implementation of OpenSSL.
A relatively easy solution is to cache the result of calling
EVP_DigestFinal_ex until the Hash object is garbage collected.
PR-URL: https://github.com/nodejs/node/pull/28251
Fixes: https://github.com/nodejs/node/issues/28245
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Backport-PR-URL: https://github.com/nodejs/node/pull/37009
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/35451
Reviewed-By: Stewart X Addison <sxa@uk.ibm.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Add Richard Lau and his Release key.
Signed-off-by: Richard Lau <riclau@uk.ibm.com>
PR-URL: https://github.com/nodejs/node/pull/34397
Refs: https://github.com/nodejs/Release/issues/585
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Notable changes:
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8265: use-after-free in TLSWrap (High)
Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller
as part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits
- CVE-2020-8287: HTTP Request Smuggling in nodejs
Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields.
In this case Node.js identifies the first header field and ignores
the second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
- CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
PR-URL: https://github.com/nodejs-private/node-private/pull/239
Duplicate `Transfer-Encoding` header should be a treated as a single,
but with original header values concatenated with a comma separator. In
the light of this, even if the past `Transfer-Encoding` ended with
`chunked`, we should be not let the `F_CHUNKED` to leak into the next
header, because mere presence of another header indicates that `chunked`
is not the last transfer-encoding token.
CVE-ID: CVE-2020-8287
PR-URL: https://github.com/nodejs-private/node-private/pull/235
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
After an OpenSSL source update, all the config files need to be
regenerated and comitted by:
$ cd deps/openssl/config
$ make
$ git add deps/openssl/config/archs
$ git add deps/openssl/openssl/include/crypto/bn_conf.h
$ git add deps/openssl/openssl/include/crypto/dso_conf.h
$ git add deps/openssl/openssl/include/openssl/opensslconf.h
$ git commit
PR-URL: https://github.com/nodejs/node/pull/36541
Reviewed-By: Michael Dawson <midawson@redhat.com>
If there is no Python 2 available, use Python 3. This allows to test
running configure with Python 3.
PR-URL: https://github.com/nodejs/node/pull/29236
Reviewed-By: Christian Clauss <cclauss@me.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
When looking for Python in the registry, as specified in PEP514,
this was not able to handle installations in a path with spaces,
like Program Files. This ensures the whole path is used, fixing the
issue.
PR-URL: https://github.com/nodejs/node/pull/29236
Reviewed-By: Christian Clauss <cclauss@me.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
The new V8 seems to be optimizing the functions we use in this test
faster than before. Increasing the sampling frequency for Linux perf
fixes the issue.
PR-URL: https://github.com/nodejs/node/pull/27615
Refs: https://github.com/v8/v8/compare/7.4.288.21...7.4.288.27
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
To debug native modules node should be a debuggable process, that will
require the **com.apple.security.get-task-allow** entitlement to be
added to the codesign procedure.
PR-URL: https://github.com/nodejs/node/pull/34378
Fixes: https://github.com/nodejs/node/issues/34340
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Some small fixes on HTTP/2 and its documentation:
- Add a note that, on server streams, it's not necessary
to start data flow.
- Set EOF flag if we have marked all data for sending:
there's no need to wait until the queue is
actually empty (and send a separate, empty DATA).
(Note that, even with this change, a separate DATA
frame will always be sent, because the streams
layer waits until data has been flushed before
dispatching EOF)
PR-URL: https://github.com/nodejs/node/pull/28044
Backport-PR-URL: https://github.com/nodejs/node/pull/34857
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Mark `napi_detach_arraybuffer` and `napi_is_detached_arraybuffer` as
stable.
Signed-off-by: Gabriel Schulhof <gabriel.schulhof@intel.com>
PR-URL: https://github.com/nodejs/node/pull/35199
Backport-PR-URL: https://github.com/nodejs/node/pull/35336
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Michael Dawson <mdawson@devrus.com>
