Skip to content

Commit 6f9b622

Browse files
BethGriggsBethGriggs
committed
2021-02-23, Version 15.10.0 (Current)
This is a security release. Notable changes: Vulnerabilities fixed: - **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion - **CVE-2021-22884**: DNS rebinding in --inspect - **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate PR-URL: nodejs-private/node-private#253
1 parent 47d6ced commit 6f9b622

3 files changed

Lines changed: 30 additions & 4 deletions

File tree

CHANGELOG.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,8 @@ release.
3232
</tr>
3333
<tr>
3434
<td valign="top">
35-
<b><a href="doc/changelogs/CHANGELOG_V15.md#15.9.0">15.9.0</a></b><br/>
35+
<b><a href="doc/changelogs/CHANGELOG_V15.md#15.10.0">15.10.0</a></b><br/>
36+
<a href="doc/changelogs/CHANGELOG_V15.md#15.9.0">15.9.0</a><br/>
3637
<a href="doc/changelogs/CHANGELOG_V15.md#15.8.0">15.8.0</a><br/>
3738
<a href="doc/changelogs/CHANGELOG_V15.md#15.7.0">15.7.0</a><br/>
3839
<a href="doc/changelogs/CHANGELOG_V15.md#15.6.0">15.6.0</a><br/>

doc/api/http2.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2122,7 +2122,7 @@ Throws `ERR_INVALID_ARG_TYPE` for invalid `settings` argument.
21222122
<!-- YAML
21232123
added: v8.4.0
21242124
changes:
2125-
- version: REPLACEME
2125+
- version: v15.10.0
21262126
pr-url: https://github.com/nodejs-private/node-private/pull/246
21272127
description: Added `unknownProtocolTimeout` option with a default of 10000.
21282128
- version:
@@ -2271,7 +2271,7 @@ server.listen(80);
22712271
<!-- YAML
22722272
added: v8.4.0
22732273
changes:
2274-
- version: REPLACEME
2274+
- version: v15.10.0
22752275
pr-url: https://github.com/nodejs-private/node-private/pull/246
22762276
description: Added `unknownProtocolTimeout` option with a default of 10000.
22772277
- version:
@@ -2407,7 +2407,7 @@ server.listen(80);
24072407
<!-- YAML
24082408
added: v8.4.0
24092409
changes:
2410-
- version: REPLACEME
2410+
- version: v15.10.0
24112411
pr-url: https://github.com/nodejs-private/node-private/pull/246
24122412
description: Added `unknownProtocolTimeout` option with a default of 10000.
24132413
- version:

doc/changelogs/CHANGELOG_V15.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010
</tr>
1111
<tr>
1212
<td>
13+
<a href="#15.10.0">15.10.0</a><br/>
1314
<a href="#15.9.0">15.9.0</a><br/>
1415
<a href="#15.8.0">15.8.0</a><br/>
1516
<a href="#15.7.0">15.7.0</a><br/>
@@ -44,6 +45,30 @@
4445
* [io.js](CHANGELOG_IOJS.md)
4546
* [Archive](CHANGELOG_ARCHIVE.md)
4647

48+
<a id="15.10.0"></a>
49+
## 2021-02-23, Version 15.10.0 (Current), @BethGriggs
50+
51+
This is a security release.
52+
53+
### Notable changes
54+
55+
Vulnerabilities fixed:
56+
57+
* **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
58+
* Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
59+
* **CVE-2021-22884**: DNS rebinding in --inspect
60+
* Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
61+
* **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate
62+
* This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in
63+
https://www.openssl.org/news/secadv/20210216.txt
64+
65+
### Commits
66+
67+
* [[`2a3ce5974b`](https://github.com/nodejs/node/commit/2a3ce5974b)] - **deps**: update archs files for OpenSSL-1.1.1j (Daniel Bevenius) [#37412](https://github.com/nodejs/node/pull/37412)
68+
* [[`afbce66874`](https://github.com/nodejs/node/commit/afbce66874)] - **deps**: upgrade openssl sources to 1.1.1j (Daniel Bevenius) [#37412](https://github.com/nodejs/node/pull/37412)
69+
* [[`4184806dee`](https://github.com/nodejs/node/commit/4184806dee)] - **(SEMVER-MINOR)** **http2**: add unknownProtocol timeout (Daniel Bevenius) [nodejs-private/node-private#246](https://github.com/nodejs-private/node-private/pull/246)
70+
* [[`43ae9c46c3`](https://github.com/nodejs/node/commit/43ae9c46c3)] - **src**: drop localhost6 as allowed host for inspector (Matteo Collina) [nodejs-private/node-private#244](https://github.com/nodejs-private/node-private/pull/244)
71+
4772
<a id="15.9.0"></a>
4873
## 2021-02-17, Version 15.9.0 (Current), @danielleadams
4974

0 commit comments

Comments
 (0)