News from 2021
-
Node v15.11.0 (Current)
- [
a3e3156b52
] - (SEMVER-MINOR) crypto: make FIPS related options always awailable (Vít Ondruch) #36341 - [
9ba5c0f9ba
] - (SEMVER-MINOR) errors: remove experimental from --enable-source-maps (Benjamin Coe) #37362
- [
-
February 2021 Security Releases
Updates are now available for v10.x, v12.x, v14.x and v15.x Node.js release lines for the following issues.
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
-
Node v14.16.0 (LTS)
Vulnerabilities fixed:
- CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
- Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
- CVE-2021-22884: DNS rebinding in --inspect
- Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
- CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
- CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
-
Node v12.21.0 (LTS)
Vulnerabilities fixed:
- CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
- Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
- CVE-2021-22884: DNS rebinding in --inspect
- Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
- CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
- CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
-
Node v15.10.0 (Current)
Vulnerabilities fixed:
- CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
- Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
- CVE-2021-22884: DNS rebinding in --inspect
- Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
- CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
- CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
-
Node v10.24.0 (LTS)
Vulnerabilities fixed:
- CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
- Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
- CVE-2021-22884: DNS rebinding in --inspect
- Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
- CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
- CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
-
Node v15.9.0 (Current)
- crypto:
- add keyObject.export() 'jwk' format option (Filip Skokan) #37081
- deps:
- upgrade to libuv 1.41.0 (Colin Ihrig) #37360
- doc:
- fs:
- perf_hooks:
- introduce createHistogram (James M Snell) #37155
- stream:
- improve Readable.from error handling (Benjamin Gruenbaum) #37158
- timers:
- introduce setInterval async iterator (linkgoron) #37153
- tls:
- add ability to get cert/peer cert as X509Certificate object (James M Snell) #37070
- crypto:
-
Node v12.20.2 (LTS)
- deps:
- upgrade npm to 6.14.11 (Ruy Adorno) #37173
- [
e8a4e560ea
] - async_hooks: fix leak in AsyncLocalStorage exit (Stephen Belanger) #35779 - [
427968d266
] - deps: upgrade npm to 6.14.11 (Ruy Adorno) #37173 - [
cd9a8106be
] - http: do not loop over prototype in Agent (Michaël Zasso) #36410 - [
4ac8f37800
] - http2: check write not scheduled in scope destructor (David Halls) #36241
- deps:
-
Node v10.23.3 (LTS)
The update to npm 6.14.11 has been relanded so that npm correctly reports its version.
- [
953a85035d
] - crypto: fix crash when calling digest after piping (Tobias Nießen) #28251 - [
fe2c98003e
] - deps: upgrade npm to 6.14.11 (Ruy Adorno) #37173 - [
7b7fb43b8a
] - Revert "deps: upgrade npm to 6.14.11" (Richard Lau) #37278 - [
1c6fbd6ffe
] - test: add test that verifies crypto stream pipeline (Evan Lucas) #37009
- [
-
Node v14.15.5 (LTS)
- deps:
- stream,zlib: do not use _stream_* anymore (Matteo Collina) #36618
- Node v15.8.0 (Current)
- Node v10.23.2 (LTS)
- Node v15.7.0 (Current)
- Node v15.6.0 (Current)
- January 2021 Security Releases
- Node v12.20.1 (LTS)
- Node v10.23.1 (LTS)
- Node v14.15.4 (LTS)
- Node v15.5.1 (Current)