Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v10.24.1 proposal #38085

Merged
merged 4 commits into from
Apr 6, 2021
Merged

v10.24.1 proposal #38085

merged 4 commits into from
Apr 6, 2021

Conversation

MylesBorins
Copy link
Contributor

@MylesBorins MylesBorins commented Apr 4, 2021

2021-04-06, Version 10.24.1 'Dubnium' (LTS), @MylesBorins

This is a security release

Notable Changes

Vulerabilties fixed:

  • CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
  • CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
  • CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
    • This is a vulnerability in the y18n NPM module which may be exploited by prototype pollution. You can read more about it in GHSA-c4w7-xm78-47vh
    • Impacts:
      • All versions of the 14.x, 12.x and 10.x releases lines

Commits

tniessen and others added 3 commits April 4, 2021 16:07
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1k.tar.gz
    $ mv openssl-1.1.1k openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #37940
Refs: #37913
Refs: #37916
Reviewed-By: Daniel Bevenius <[email protected]>
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
   $ make -C deps/openssl/config
   $ git add deps/openssl/config/archs
   $ git add deps/openssl/openssl/include/crypto/bn_conf.h
   $ git add deps/openssl/openssl/include/crypto/dso_conf.h
   $ git add deps/openssl/openssl/include/openssl/opensslconf.h
   $ git commit

PR-URL: #37940
Refs: #37913
Refs: #37916
Reviewed-By: Daniel Bevenius <[email protected]>
PR-URL: #37918
Reviewed-By: Ruben Bridgewater <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
@nodejs-github-bot nodejs-github-bot added meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. v10.x labels Apr 4, 2021
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Apr 4, 2021

MylesBorins added a commit that referenced this pull request Apr 5, 2021
This is a security release

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38085
Copy link
Member

@BethGriggs BethGriggs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does This is a security release need to be This is a security release. to match the regex in https://github.com/nodejs/nodejs-dist-indexer/blob/master/is-security-release.js#L2?

(apologies for the painful nit!)

doc/changelogs/CHANGELOG_V10.md Outdated Show resolved Hide resolved
doc/changelogs/CHANGELOG_V10.md Outdated Show resolved Hide resolved
MylesBorins added a commit that referenced this pull request Apr 6, 2021
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38085
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38085
MylesBorins added a commit that referenced this pull request Apr 6, 2021
@MylesBorins MylesBorins merged commit 5182a7e into v10.x Apr 6, 2021
MylesBorins added a commit that referenced this pull request Apr 6, 2021
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38085
@MylesBorins MylesBorins deleted the v10.24.1-proposal branch April 6, 2021 20:11
MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021
MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021
@targos targos added the release Issues and PRs related to Node.js releases. label Apr 11, 2021
@targos targos removed meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. labels Jun 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release Issues and PRs related to Node.js releases.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants