diff options
| author | Beth Griggs <Bethany.Griggs@uk.ibm.com> | 2020-02-05 03:44:37 +0300 |
|---|---|---|
| committer | Beth Griggs <Bethany.Griggs@uk.ibm.com> | 2020-02-06 02:22:07 +0300 |
| commit | 5ba7df3c4b81ab695029dacf34a0aa960be71372 (patch) | |
| tree | 827a90efae535ad798747945446def254f34611a | |
| parent | e2c8f89b7572a7aea62927923e425bbd7725dca2 (diff) | |
2020-02-06, Version 10.19.0 'Dubnium' (LTS)v10.19.0
This is a security release.
Vulnerabilities fixed:
* **CVE-2019-15606**:
HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
Remotely trigger an assertion on a TLS server with a malformed
certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.
PR-URL: https://github.com/nodejs-private/node-private/pull/198
| -rw-r--r-- | CHANGELOG.md | 3 | ||||
| -rw-r--r-- | doc/api/cli.md | 2 | ||||
| -rw-r--r-- | doc/api/http.md | 4 | ||||
| -rw-r--r-- | doc/changelogs/CHANGELOG_V10.md | 30 | ||||
| -rw-r--r-- | src/node_version.h | 6 |
5 files changed, 38 insertions, 7 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index f7d1c7d3e20..dff504dfe01 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,7 +33,8 @@ release. <a href="doc/changelogs/CHANGELOG_V12.md#12.0.0">12.0.0</a><br/> </td> <td valign="top"> -<b><a href="doc/changelogs/CHANGELOG_V10.md#10.18.1">10.18.1</a></b><br/> +<b><a href="doc/changelogs/CHANGELOG_V10.md#10.19.0">10.19.0</a></b><br/> +<a href="doc/changelogs/CHANGELOG_V10.md#10.18.1">10.18.1</a><br/> <a href="doc/changelogs/CHANGELOG_V10.md#10.18.0">10.18.0</a><br/> <a href="doc/changelogs/CHANGELOG_V10.md#10.17.0">10.17.0</a><br/> <a href="doc/changelogs/CHANGELOG_V10.md#10.16.3">10.16.3</a><br/> diff --git a/doc/api/cli.md b/doc/api/cli.md index 2f946c2aea3..c322ed55104 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -183,7 +183,7 @@ Specify the `file` of the custom [experimental ECMAScript Module][] loader. ### `--insecure-http-parser` <!-- YAML -added: REPLACEME +added: v10.19.0 --> Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow diff --git a/doc/api/http.md b/doc/api/http.md index 115540b1020..1fe01915d68 100644 --- a/doc/api/http.md +++ b/doc/api/http.md @@ -1830,7 +1830,7 @@ Found'`. <!-- YAML added: v0.1.13 changes: - - version: REPLACEME + - version: v10.19.0 pr-url: https://github.com/nodejs/node/pull/31448 description: The `insecureHTTPParser` option is supported now. - version: v9.6.0, v8.12.0 @@ -1950,7 +1950,7 @@ Defaults to 8KB. Configurable using the [`--max-http-header-size`][] CLI option. <!-- YAML added: v0.3.6 changes: - - version: REPLACEME + - version: v10.19.0 pr-url: https://github.com/nodejs/node/pull/31448 description: The `insecureHTTPParser` option is supported now. - version: v10.9.0 diff --git a/doc/changelogs/CHANGELOG_V10.md b/doc/changelogs/CHANGELOG_V10.md index 2b02844a6a0..6e1c22734d6 100644 --- a/doc/changelogs/CHANGELOG_V10.md +++ b/doc/changelogs/CHANGELOG_V10.md @@ -10,6 +10,7 @@ </tr> <tr> <td valign="top"> +<a href="#10.19.0">10.19.0</a><br/> <a href="#10.18.1">10.18.1</a><br/> <a href="#10.18.0">10.18.0</a><br/> <a href="#10.17.0">10.17.0</a><br/> @@ -58,6 +59,35 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) +<a id="10.19.0"></a> +## 2020-02-06, Version 10.19.0 'Dubnium' (LTS), @BethGriggs + +### Notable changes + +This is a security release. + +Vulnerabilities fixed: +* **CVE-2019-15606**: HTTP header values do not have trailing OWS trimmed. +* **CVE-2019-15605**: HTTP request smuggling using malformed Transfer-Encoding header. +* **CVE-2019-15604**: Remotely trigger an assertion on a TLS server with a malformed certificate string. + +Also, HTTP parsing is more strict to be more secure. Since this may +cause problems in interoperability with some non-conformant HTTP +implementations, it is possible to disable the strict checks with the +`--insecure-http-parser` command line flag, or the `insecureHTTPParser` +http option. Using the insecure HTTP parser should be avoided. + +### Commits + +* [[`f940bee3b7`](https://github.com/nodejs/node/commit/f940bee3b7)] - **crypto**: fix assertion caused by unsupported ext (Fedor Indutny) [nodejs-private/node-private#175](https://github.com/nodejs-private/node-private/pull/175) +* [[`49f4220ce5`](https://github.com/nodejs/node/commit/49f4220ce5)] - **deps**: upgrade http-parser to v2.9.3 (Sam Roberts) [nodejs-private/http-parser-private#4](https://github.com/nodejs-private/http-parser-private/pull/4) +* [[`a28e5cc1ed`](https://github.com/nodejs/node/commit/a28e5cc1ed)] - **(SEMVER-MINOR)** **deps**: upgrade http-parser to v2.9.1 (Sam Roberts) [#30471](https://github.com/nodejs/node/pull/30471) +* [[`0082f62d9c`](https://github.com/nodejs/node/commit/0082f62d9c)] - **(SEMVER-MINOR)** **http**: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) [#31448](https://github.com/nodejs/node/pull/31448) +* [[`a9849c0ff6`](https://github.com/nodejs/node/commit/a9849c0ff6)] - **(SEMVER-MINOR)** **http**: opt-in insecure HTTP header parsing (Sam Roberts) [#30567](https://github.com/nodejs/node/pull/30567) +* [[`2eee90e959`](https://github.com/nodejs/node/commit/2eee90e959)] - **http**: strip trailing OWS from header values (Sam Roberts) [nodejs-private/node-private#191](https://github.com/nodejs-private/node-private/pull/191) +* [[`e2c8f89b75`](https://github.com/nodejs/node/commit/e2c8f89b75)] - **test**: using TE to smuggle reqs is not possible (Sam Roberts) [nodejs-private/node-private#192](https://github.com/nodejs-private/node-private/pull/192) +* [[`d616722f65`](https://github.com/nodejs/node/commit/d616722f65)] - **test**: check that --insecure-http-parser works (Sam Roberts) [#31253](https://github.com/nodejs/node/pull/31253) + <a id="10.18.1"></a> ## 2020-01-09, Version 10.18.1 'Dubnium' (LTS), @BethGriggs diff --git a/src/node_version.h b/src/node_version.h index fd24002a5dc..bdf15c0e721 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -23,13 +23,13 @@ #define SRC_NODE_VERSION_H_ #define NODE_MAJOR_VERSION 10 -#define NODE_MINOR_VERSION 18 -#define NODE_PATCH_VERSION 2 +#define NODE_MINOR_VERSION 19 +#define NODE_PATCH_VERSION 0 #define NODE_VERSION_IS_LTS 1 #define NODE_VERSION_LTS_CODENAME "Dubnium" -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n) |