Update Node.js to v10.23.1 #9955
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
10.23.0->10.23.1Release Notes
nodejs/node
v10.23.1Compare Source
Notable changes
This is a security release.
Vulnerabilities fixed:
Affected Node.js versions are vulnerable to a use-after-free bug in its
TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method does
not return an error, this object is passed back to the caller as part of
a StreamWriteResult structure. This may be exploited to corrupt memory
leading to a Denial of Service or potentially other exploits
Affected versions of Node.js allow two copies of a header field in a
http request. For example, two Transfer-Encoding header fields. In this
case Node.js identifies the first header field and ignores the second.
This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
Commits
bd44b0ee7f] - build,win: accept Python 3 if 2 is not available (João Reis) #29236d5c9b09bdc] - build,win: find Python in paths with spaces (João Reis) #29236323a6f114a] - deps: update http-parser to http-parser@ec8b5ee(Richard Lau) nodejs-private/node-private#235f08d0fef64] - deps: upgrade npm to 6.14.10 (Ruy Adorno) #36571b0608b574a] - deps: update archs files for OpenSSL-1.1.1i (Richard Lau) #36541d936e1833f] - deps: upgrade openssl sources to 1.1.1i (Myles Borins) #365419c4970715c] - deps: upgrade npm to 6.14.9 (Myles Borins) #36450aa6b97fb99] - http: add test for http transfer encoding smuggling (Richard Lau) nodejs-private/node-private#235fc70ce08f5] - http: unsetF_CHUNKEDon newTransfer-Encoding(Fedor Indutny) nodejs-private/node-private#2357f178663eb] - src: use unique_ptr for WriteWrap (Daniel Bevenius) nodejs-private/node-private#238357e2857c8] - test: add test-tls-use-after-free-regression (Daniel Bevenius) nodejs-private/node-private#238Renovate configuration
📅 Schedule: At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.