Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v14.16.1 proposal #38082

Merged
merged 4 commits into from Apr 6, 2021
Merged

v14.16.1 proposal #38082

merged 4 commits into from Apr 6, 2021

Conversation

MylesBorins
Copy link
Member

@MylesBorins MylesBorins commented Apr 4, 2021
edited

2021-04-06, Version 14.16.1 'Fermium' (LTS), @MylesBorins

This is a security release.

Notable Changes

Vulnerabilities fixed:

  • CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
  • CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
  • CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
    • This is a vulnerability in the y18n NPM module which may be exploited by prototype pollution. You can read more about it in GHSA-c4w7-xm78-47vh
    • Impacts:
      • All versions of the 14.x, 12.x and 10.x releases lines

Commits

tniessen and others added 3 commits April 4, 2021 15:31
@tniessen @MylesBorins
deps: upgrade openssl sources to 1.1.1k
403a014 
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1k.tar.gz
    $ mv openssl-1.1.1k openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #37938
Refs: #37913
Refs: #37916
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@tniessen @MylesBorins
deps: update archs files for OpenSSL-1.1.1k
6bc8f58 
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
   $ make -C deps/openssl/config
   $ git add deps/openssl/config/archs
   $ git add deps/openssl/openssl/include/crypto/bn_conf.h
   $ git add deps/openssl/openssl/include/crypto/dso_conf.h
   $ git add deps/openssl/openssl/include/openssl/opensslconf.h
   $ git commit

PR-URL: #37938
Refs: #37913
Refs: #37916
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@ruyadorno @MylesBorins
deps: upgrade npm to 6.14.12
467be7a 
PR-URL: #37918
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
@nodejs-github-bot nodejs-github-bot added meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. v14.x labels Apr 4, 2021
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Apr 4, 2021
edited by MylesBorins

CI: https://ci.nodejs.org/job/node-test-pull-request/37145/
CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/2662/
CITGM nobuild v14: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker-nobuild/1071/
Rerun vs2019 CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/2669/
vs2019 v14.16.0: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/2670/

vs2019 has a bunch of failing native modules but it is unrelated to this release (failing on v14.16.0). Otherwise there are no significant differences in the failures on the nobuild job + the full job for v14.16.1

@nodejs nodejs deleted a comment from nodejs-github-bot Apr 5, 2021
MylesBorins added a commit that referenced this pull request Apr 5, 2021
@MylesBorins
2021-04-06, Version 14.16.1 'Fermium' (LTS)
6703f0e 
This is a security release.

Notable Changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38082
@nodejs nodejs deleted a comment from nodejs-github-bot Apr 5, 2021
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/37168/

richardlau
richardlau approved these changes Apr 6, 2021
View reviewed changes
doc/changelogs/CHANGELOG_V14.md Outdated Show resolved Hide resolved
@MylesBorins
2021-04-06, Version 14.16.1 'Fermium' (LTS)
b34a9d7 
This is a security release.

Notable Changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38082
MylesBorins added a commit that referenced this pull request Apr 6, 2021
@MylesBorins
Working on v14.16.2
78680c1 
PR-URL: #38082
@MylesBorins MylesBorins merged commit b34a9d7 into v14.x Apr 6, 2021
MylesBorins added a commit that referenced this pull request Apr 6, 2021
@MylesBorins
2021-04-06, Version 14.16.1 'Fermium' (LTS)
1522a93 
This is a security release.

Notable Changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38082
@MylesBorins MylesBorins deleted the v14.16.1-proposal branch April 6, 2021 20:11
MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021
@MylesBorins
blog: April 2021 10/12/14 sec releases
9a5c0a0 
Refs: nodejs/node#38082
Refs: nodejs/node#38083
Refs: nodejs/node#38085
@MylesBorins MylesBorins mentioned this pull request Apr 6, 2021
Merged
MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021
@MylesBorins
blog: April 2021 10/12/14 sec releases (#3791)
b3635c4 
Refs: nodejs/node#38082
Refs: nodejs/node#38083
Refs: nodejs/node#38085
@targos targos added the release Issues and PRs related to Node.js releases. label Apr 11, 2021
@targos targos removed needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. meta Issues and PRs related to the general management of the project. labels Jun 6, 2021
@molllyn1 molllyn1 mentioned this pull request Jun 8, 2023
Open
This was referenced Jun 8, 2023
Open
Open
@ron-a20 ron-a20 mentioned this pull request Jun 8, 2023
Open
@baby636 baby636 mentioned this pull request Jun 9, 2023
Open
@137717unity 137717unity mentioned this pull request Jun 9, 2023
Open
@wedataintelligence wedataintelligence mentioned this pull request Jun 9, 2023
Open
@kissofire kissofire mentioned this pull request Jun 25, 2023
Open
@kissofire kissofire mentioned this pull request Sep 28, 2023
Open
@molllyn1 molllyn1 mentioned this pull request Sep 28, 2023
Open
@ron-a20 ron-a20 mentioned this pull request Sep 28, 2023
Open
@137717unity 137717unity mentioned this pull request Sep 28, 2023
Open
@aliceUnhinged613 aliceUnhinged613 mentioned this pull request Sep 28, 2023
Open
@baby636 baby636 mentioned this pull request Sep 28, 2023
Open
@wedataintelligence wedataintelligence mentioned this pull request Sep 29, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gengjiawen gengjiawen gengjiawen approved these changes

@richardlau richardlau richardlau approved these changes

@BethGriggs BethGriggs BethGriggs approved these changes

Assignees
No one assigned
Labels
release Issues and PRs related to Node.js releases.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@MylesBorins @nodejs-github-bot @gengjiawen @richardlau @BethGriggs @targos @tniessen @ruyadorno