Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v14.16.1 proposal #38082

Merged
merged 4 commits into from
Apr 6, 2021
Merged

v14.16.1 proposal #38082

merged 4 commits into from
Apr 6, 2021

Conversation

MylesBorins
Copy link
Contributor

@MylesBorins MylesBorins commented Apr 4, 2021

2021-04-06, Version 14.16.1 'Fermium' (LTS), @MylesBorins

This is a security release.

Notable Changes

Vulnerabilities fixed:

  • CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
  • CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
  • CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
    • This is a vulnerability in the y18n NPM module which may be exploited by prototype pollution. You can read more about it in GHSA-c4w7-xm78-47vh
    • Impacts:
      • All versions of the 14.x, 12.x and 10.x releases lines

Commits

tniessen and others added 3 commits April 4, 2021 15:31
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1k.tar.gz
    $ mv openssl-1.1.1k openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #37938
Refs: #37913
Refs: #37916
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
   $ make -C deps/openssl/config
   $ git add deps/openssl/config/archs
   $ git add deps/openssl/openssl/include/crypto/bn_conf.h
   $ git add deps/openssl/openssl/include/crypto/dso_conf.h
   $ git add deps/openssl/openssl/include/openssl/opensslconf.h
   $ git commit

PR-URL: #37938
Refs: #37913
Refs: #37916
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
PR-URL: #37918
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
@nodejs-github-bot nodejs-github-bot added meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. v14.x labels Apr 4, 2021
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Apr 4, 2021

CI: https://ci.nodejs.org/job/node-test-pull-request/37145/
CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/2662/
CITGM nobuild v14: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker-nobuild/1071/
Rerun vs2019 CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/2669/
vs2019 v14.16.0: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/2670/

vs2019 has a bunch of failing native modules but it is unrelated to this release (failing on v14.16.0). Otherwise there are no significant differences in the failures on the nobuild job + the full job for v14.16.1

@nodejs nodejs deleted a comment from nodejs-github-bot Apr 5, 2021
MylesBorins added a commit that referenced this pull request Apr 5, 2021
This is a security release.

Notable Changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38082
@nodejs nodejs deleted a comment from nodejs-github-bot Apr 5, 2021
@nodejs-github-bot
Copy link
Collaborator

doc/changelogs/CHANGELOG_V14.md Outdated Show resolved Hide resolved
This is a security release.

Notable Changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38082
MylesBorins added a commit that referenced this pull request Apr 6, 2021
@MylesBorins MylesBorins merged commit b34a9d7 into v14.x Apr 6, 2021
MylesBorins added a commit that referenced this pull request Apr 6, 2021
This is a security release.

Notable Changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38082
@MylesBorins MylesBorins deleted the v14.16.1-proposal branch April 6, 2021 20:11
MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021
MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021
@targos targos added the release Issues and PRs related to Node.js releases. label Apr 11, 2021
@targos targos removed needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. meta Issues and PRs related to the general management of the project. labels Jun 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release Issues and PRs related to Node.js releases.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants