Skip to content

Commit f557b4f

Browse files
sam-githubsam-github
committed
feb-2020 sec release post-announcement
1 parent 247682e commit f557b4f

1 file changed

Lines changed: 35 additions & 1 deletion

File tree

locale/en/blog/vulnerability/february-2020-security-releases.md

Lines changed: 35 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,46 @@
11
---
2-
date: 2020-01-28T12:00:00.000Z
2+
date: 2020-02-06T12:00:00.000Z
33
category: vulnerability
44
title: February 2020 Security Releases
55
slug: february-2020-security-releases
66
layout: blog-post.hbs
77
author: Sam Roberts
88
---
99

10+
## _(Update 6-February-2020)_ Security releases available
11+
12+
Updates are now available for all active Node.js release lines for the following issues.
13+
14+
### HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)
15+
16+
Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system.
17+
18+
Reported by Ethan Rubinson, a software engineer at eBay.
19+
20+
### HTTP header values do not have trailing OWS trimmed (High) (CVE-2019-15606)
21+
22+
Optional whitespace should be trimmed from HTTP header values. Its presence may allow attackers to bypass security checks based on HTTP header values.
23+
24+
Reported by Alyssa Wilk from Google.
25+
26+
### Remotely trigger an assertion on a TLS server with a malformed certificate string (High) (CVE-2019-15604)
27+
28+
Connecting to a NodeJS TLS server with a client certificate that has a type 19 string in its subjectAltName will crash the TLS server if it tries to read the peer certificate.
29+
30+
Reported by Rogier Schouten and Melvin Groenhoff.
31+
32+
## Strict HTTP header parsing (None)
33+
34+
Increase the strictness of HTTP header parsing. There are no known vulnerabilities addressed, but lax HTTP parsing has historically been a source of problems. Some commonly used sites are known to generate invalid HTTP headers, a `--insecure-http-parser` CLI option or `insecureHTTPParser` http option can be used if necessary for interoperability, but is not recommended.
35+
36+
## Downloads & release details
37+
38+
* [Node.js v10.19.0 (LTS)](https://nodejs.org/en/blog/release/v10.19.1/)
39+
* [Node.js v12.15.0 (LTS)](https://nodejs.org/en/blog/release/v12.15.0/)
40+
* [Node.js v13.8.0 (LTS)](https://nodejs.org/en/blog/release/v13.8.0/)
41+
42+
--------------------------------------
43+
1044
# Summary
1145

1246
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, February 4th, 2020.

0 commit comments

Comments
 (0)