From d844fa0a5446ea6848e7afef82eeb671756e0008 Mon Sep 17 00:00:00 2001 From: Richard Lau Date: Mon, 14 Sep 2020 16:02:57 -0400 Subject: [PATCH] 2020-09-15, Version 14.11.0 (Current) This is a security release. Notable changes: Vulnerabilities fixed: - CVE-2020-8251: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical). - CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High). PR-URL: https://github.com/nodejs-private/node-private/pull/225 --- CHANGELOG.md | 3 ++- doc/api/http.md | 2 +- doc/api/https.md | 2 +- doc/changelogs/CHANGELOG_V14.md | 18 ++++++++++++++++++ src/node_version.h | 6 +++--- 5 files changed, 25 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ead456b7f1f725..d6980334356b3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,7 +31,8 @@ release. -14.10.1
+14.11.0
+14.10.1
14.10.0
14.9.0
14.8.0
diff --git a/doc/api/http.md b/doc/api/http.md index 29fdae5a3a8fd2..038920eb3e2310 100644 --- a/doc/api/http.md +++ b/doc/api/http.md @@ -1258,7 +1258,7 @@ Limits maximum incoming headers count. If set to 0, no limit will be applied. ### `server.requestTimeout` * {number} **Default:** `0` diff --git a/doc/api/https.md b/doc/api/https.md index 7d40aa1e44c6af..c0c60ffce72fbf 100644 --- a/doc/api/https.md +++ b/doc/api/https.md @@ -115,7 +115,7 @@ See [`http.Server#maxHeadersCount`][]. ### `server.requestTimeout` * {number} **Default:** `0` diff --git a/doc/changelogs/CHANGELOG_V14.md b/doc/changelogs/CHANGELOG_V14.md index a5dea8421594d3..86bda5aa6ef8fe 100644 --- a/doc/changelogs/CHANGELOG_V14.md +++ b/doc/changelogs/CHANGELOG_V14.md @@ -10,6 +10,7 @@ +14.11.0
14.10.1
14.10.0
14.9.0
@@ -42,6 +43,23 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + +## 2020-09-15, Version 14.11.0 (Current), @richardlau + +### Notable Changes + +This is a security release. + +Vulnerabilities fixed: + +* **CVE-2020-8251**: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical). +* **CVE-2020-8201**: HTTP Request Smuggling due to CR-to-Hyphen conversion (High). + +### Commits + +* [[`dd828376a0`](https://github.com/nodejs/node/commit/dd828376a0)] - **deps**: update llhttp to 2.1.2 (Fedor Indutny) [nodejs-private/node-private#215](https://github.com/nodejs-private/node-private/pull/215) +* [[`753f3b247a`](https://github.com/nodejs/node/commit/753f3b247a)] - **http**: add requestTimeout (Matteo Collina, Paolo Insogna, Robert Nagy) [nodejs-private/node-private#208](https://github.com/nodejs-private/node-private/pull/208) + ## 2020-09-10, Version 14.10.1 (Current), @richardlau diff --git a/src/node_version.h b/src/node_version.h index 2c627ed41d9ba5..0d7ffd57452c95 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -23,13 +23,13 @@ #define SRC_NODE_VERSION_H_ #define NODE_MAJOR_VERSION 14 -#define NODE_MINOR_VERSION 10 -#define NODE_PATCH_VERSION 2 +#define NODE_MINOR_VERSION 11 +#define NODE_PATCH_VERSION 0 #define NODE_VERSION_IS_LTS 0 #define NODE_VERSION_LTS_CODENAME "" -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)