2021-10-12, Version 16.11.1 (Current)v16.11.1

This is a security release.

Notable Changes:

* CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
  * The http parser accepts requests with a space (SP) right after the
  header name before the colon. This can lead to HTTP Request Smuggling
  (HRS). More details are available at:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
* CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
  * The parse ignores chunk extensions when parsing the body of chunked
  requests. This leads to HTTP Request Smuggling (HRS) under certain
  conditions. More details are available at:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960

PR-URL: https://github.com/nodejs-private/node-private/pull/293

3 files changed, 22 insertions, 2 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 25f69077947..66143e13437 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,7 +33,8 @@ release.
 </tr>
 <tr>
     <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V16.md#16.11.0">16.11.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V16.md#16.11.1">16.11.1</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V16.md#16.11.0">16.11.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V16.md#16.10.0">16.10.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V16.md#16.9.1">16.9.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V16.md#16.9.0">16.9.0</a><br/>
diff --git a/doc/changelogs/CHANGELOG_V16.md b/doc/changelogs/CHANGELOG_V16.md
index 5ec86f53455..02423877fa1 100644
--- a/doc/changelogs/CHANGELOG_V16.md
+++ b/doc/changelogs/CHANGELOG_V16.md
@@ -8,6 +8,7 @@
 </tr>
 <tr>
 <td>
+<a href="#16.11.1">16.11.1</a><br/>
 <a href="#16.11.0">16.11.0</a><br/>
 <a href="#16.10.0">16.10.0</a><br/>
 <a href="#16.9.1">16.9.1</a><br/>
@@ -47,6 +48,24 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="16.11.1"></a>
+## 2021-10-12, Version 16.11.1 (Current), @danielleadams
+
+This is a security release.
+
+### Notable changes
+
+* **CVE-2021-22959**: HTTP Request Smuggling due to spaced in headers (Medium)
+  * The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at [CVE-2021-22959](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959) after publication.
+* **CVE-2021-22960**: HTTP Request Smuggling when parsing the body (Medium)
+  * The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at [CVE-2021-22960](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960) after publication.
+
+### Commits
+
+* [[`af488f8dc8`](https://github.com/nodejs/node/commit/af488f8dc8)] - **deps**: update llhttp to 6.0.4 (Matteo Collina) [nodejs-private/node-private#284](https://github.com/nodejs-private/node-private/pull/284)
+* [[`2d1eefad98`](https://github.com/nodejs/node/commit/2d1eefad98)] - **http**: add regression test for smuggling content length (Matteo Collina) [nodejs-private/node-private#284](https://github.com/nodejs-private/node-private/pull/284)
+* [[`45d419ab1c`](https://github.com/nodejs/node/commit/45d419ab1c)] - **http**: add regression test for chunked smuggling (Matteo Collina) [nodejs-private/node-private#284](https://github.com/nodejs-private/node-private/pull/284)
+
 <a id="16.11.0"></a>
 ## 2021-10-08, Version 16.11.0 (Current), @danielleadams
 
diff --git a/src/node_version.h b/src/node_version.h
index 813934e5f28..119a341d8dc 100644
--- a/src/node_version.h
+++ b/src/node_version.h
@@ -29,7 +29,7 @@
 #define NODE_VERSION_IS_LTS 0
 #define NODE_VERSION_LTS_CODENAME ""
 
-#define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_RELEASE 1
 
 #ifndef NODE_STRINGIFY
 #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)