2020-09-15, Version 14.11.0 (Current), @richardlau

richardlau released this 15 Sep 21:24

d844fa0

Notable Changes

This is a security release.

Vulnerabilities fixed:

CVE-2020-8251: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical).
CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).

Commits

[dd828376a0] - deps: update llhttp to 2.1.2 (Fedor Indutny) nodejs-private/node-private#215
[753f3b247a] - http: add requestTimeout (Matteo Collina, Paolo Insogna, Robert Nagy) nodejs-private/node-private#208

Assets 2