Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v12.22.1 proposal #38083

Merged
merged 4 commits into from Apr 6, 2021
Merged

v12.22.1 proposal #38083

merged 4 commits into from Apr 6, 2021

Conversation

MylesBorins
Copy link
Member

@MylesBorins MylesBorins commented Apr 4, 2021
edited

2021-04-06, Version 12.22.1 'Erbium' (LTS), @MylesBorins

This is a security release.

Notable Changes

Vulnerabilities fixed:

  • CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
  • CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
  • CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
    • This is a vulnerability in the y18n NPM module which may be exploited by prototype pollution. You can read more about it in GHSA-c4w7-xm78-47vh
    • Impacts:
      • All versions of the 14.x, 12.x and 10.x releases lines

Commits

tniessen and others added 3 commits April 4, 2021 15:57
@tniessen @MylesBorins
deps: upgrade openssl sources to 1.1.1k
c85a519 
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1k.tar.gz
    $ mv openssl-1.1.1k openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #37939
Refs: #37913
Refs: #37916
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@tniessen @MylesBorins
deps: update archs files for OpenSSL-1.1.1k
51a753c 
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
   $ make -C deps/openssl/config
   $ git add deps/openssl/config/archs
   $ git add deps/openssl/openssl/include/crypto/bn_conf.h
   $ git add deps/openssl/openssl/include/crypto/dso_conf.h
   $ git add deps/openssl/openssl/include/openssl/opensslconf.h
   $ git commit

PR-URL: #37939
Refs: #37913
Refs: #37916
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@ruyadorno @MylesBorins
deps: upgrade npm to 6.14.12
c947f1a 
PR-URL: #37918
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
@nodejs-github-bot nodejs-github-bot added meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. v12.x labels Apr 4, 2021
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Apr 4, 2021
edited by MylesBorins

CI: https://ci.nodejs.org/job/node-test-pull-request/37146/
CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/2663/ ✅ (failures the same as previous 12.x release)

MylesBorins added a commit that referenced this pull request Apr 5, 2021
@MylesBorins
2021-04-06, Version 12.22.1 'Erbium' (LTS)
b01a045 
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38083
richardlau
richardlau approved these changes Apr 6, 2021
View reviewed changes
doc/changelogs/CHANGELOG_V12.md Outdated Show resolved Hide resolved
@MylesBorins
2021-04-06, Version 12.22.1 'Erbium' (LTS)
fe1c4b4 
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38083
MylesBorins added a commit that referenced this pull request Apr 6, 2021
@MylesBorins
Working on v12.22.2
0b76053 
PR-URL: #38083
@MylesBorins MylesBorins merged commit fe1c4b4 into v12.x Apr 6, 2021
MylesBorins added a commit that referenced this pull request Apr 6, 2021
@MylesBorins
2021-04-06, Version 12.22.1 'Erbium' (LTS)
d318ec7 
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: #38083
@MylesBorins MylesBorins deleted the v12.22.1-proposal branch April 6, 2021 20:11
MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021
@MylesBorins
blog: April 2021 10/12/14 sec releases
9a5c0a0 
Refs: nodejs/node#38082
Refs: nodejs/node#38083
Refs: nodejs/node#38085
@MylesBorins MylesBorins mentioned this pull request Apr 6, 2021
Merged
MylesBorins added a commit to nodejs/nodejs.org that referenced this pull request Apr 6, 2021
@MylesBorins
blog: April 2021 10/12/14 sec releases (#3791)
b3635c4 
Refs: nodejs/node#38082
Refs: nodejs/node#38083
Refs: nodejs/node#38085
@targos targos added the release Issues and PRs related to Node.js releases. label Apr 11, 2021
@targos targos removed meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. labels Jun 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richardlau richardlau richardlau approved these changes

@BethGriggs BethGriggs BethGriggs approved these changes

Assignees
No one assigned
Labels
release Issues and PRs related to Node.js releases.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@MylesBorins @nodejs-github-bot @richardlau @BethGriggs @targos @tniessen @ruyadorno