diff options
author | Beth Griggs <Bethany.Griggs@uk.ibm.com> | 2020-02-04 20:58:51 +0300 |
---|---|---|
committer | Beth Griggs <Bethany.Griggs@uk.ibm.com> | 2020-02-06 02:10:23 +0300 |
commit | 6558cfc0b075adfffe0d8c87bbe0d3e0b9326ab5 (patch) | |
tree | a1ab70c7024bcfcf813b988171844fdf01ea995b | |
parent | eea3a7429bd91d1ed69b8364abecf06694661ac1 (diff) |
2020-02-06, Version 13.8.0 (Current)v13.8.0
This is a security release.
Vulnerabilities fixed:
* **CVE-2019-15606**:
HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
Remotely trigger an assertion on a TLS server with a malformed
certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.
PR-URL: https://github.com/nodejs-private/node-private/pull/196
-rw-r--r-- | CHANGELOG.md | 3 | ||||
-rw-r--r-- | doc/api/http.md | 4 | ||||
-rw-r--r-- | doc/changelogs/CHANGELOG_V13.md | 28 | ||||
-rw-r--r-- | src/node_version.h | 6 |
4 files changed, 35 insertions, 6 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index c5c0fd7063c..de6e21fed04 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,7 +30,8 @@ release. </tr> <tr> <td valign="top"> -<b><a href="doc/changelogs/CHANGELOG_V13.md#13.7.0">13.7.0</a></b><br/> +<b><a href="doc/changelogs/CHANGELOG_V13.md#13.8.0">13.8.0</a></b><br/> +<a href="doc/changelogs/CHANGELOG_V13.md#13.7.0">13.7.0</a><br/> <a href="doc/changelogs/CHANGELOG_V13.md#13.6.0">13.6.0</a><br/> <a href="doc/changelogs/CHANGELOG_V13.md#13.5.0">13.5.0</a><br/> <a href="doc/changelogs/CHANGELOG_V13.md#13.4.0">13.4.0</a><br/> diff --git a/doc/api/http.md b/doc/api/http.md index dd90b54d3e1..beba834bd72 100644 --- a/doc/api/http.md +++ b/doc/api/http.md @@ -2031,7 +2031,7 @@ Found'`. <!-- YAML added: v0.1.13 changes: - - version: REPLACEME + - version: v13.8.0 pr-url: https://github.com/nodejs/node/pull/31448 description: The `insecureHTTPParser` option is supported now. - version: v13.3.0 @@ -2162,7 +2162,7 @@ This can be overridden for servers and client requests by passing the <!-- YAML added: v0.3.6 changes: - - version: REPLACEME + - version: v13.8.0 pr-url: https://github.com/nodejs/node/pull/31448 description: The `insecureHTTPParser` option is supported now. - version: v13.3.0 diff --git a/doc/changelogs/CHANGELOG_V13.md b/doc/changelogs/CHANGELOG_V13.md index 7968c75ef26..f3234798733 100644 --- a/doc/changelogs/CHANGELOG_V13.md +++ b/doc/changelogs/CHANGELOG_V13.md @@ -9,6 +9,7 @@ </tr> <tr> <td> +<a href="#13.8.0">13.8.0</a><br/> <a href="#13.7.0">13.7.0</a><br/> <a href="#13.6.0">13.6.0</a><br/> <a href="#13.5.0">13.5.0</a><br/> @@ -37,6 +38,33 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) +<a id="13.8.0"></a> +## 2020-02-06, Version 13.8.0 (Current), @BethGriggs + +### Notable Changes + +This is a security release. + +Vulnerabilities fixed: +* **CVE-2019-15606**: HTTP header values do not have trailing OWS trimmed. +* **CVE-2019-15605**: HTTP request smuggling using malformed Transfer-Encoding header. +* **CVE-2019-15604**: Remotely trigger an assertion on a TLS server with a malformed certificate string. + +Also, HTTP parsing is more strict to be more secure. Since this may +cause problems in interoperability with some non-conformant HTTP +implementations, it is possible to disable the strict checks with the +`--insecure-http-parser` command line flag, or the `insecureHTTPParser` +http option. Using the insecure HTTP parser should be avoided. + +### Commits + +* [[`b7da194714`](https://github.com/nodejs/node/commit/b7da194714)] - **benchmark**: support optional headers with wrk (Sam Roberts) [nodejs-private/node-private#189](https://github.com/nodejs-private/node-private/pull/189) +* [[`1156a9e5f8`](https://github.com/nodejs/node/commit/1156a9e5f8)] - **crypto**: fix assertion caused by unsupported ext (Fedor Indutny) [nodejs-private/node-private#175](https://github.com/nodejs-private/node-private/pull/175) +* [[`8f41e837bb`](https://github.com/nodejs/node/commit/8f41e837bb)] - **deps**: update llhttp to 2.0.4 (Beth Griggs) [nodejs-private/node-private#199](https://github.com/nodejs-private/node-private/pull/199) +* [[`07d56e49cf`](https://github.com/nodejs/node/commit/07d56e49cf)] - **(SEMVER-MINOR)** **http**: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) [#31448](https://github.com/nodejs/node/pull/31448) +* [[`25b6897e8a`](https://github.com/nodejs/node/commit/25b6897e8a)] - **http**: strip trailing OWS from header values (Sam Roberts) [nodejs-private/node-private#189](https://github.com/nodejs-private/node-private/pull/189) +* [[`eea3a7429b`](https://github.com/nodejs/node/commit/eea3a7429b)] - **test**: using TE to smuggle reqs is not possible (Sam Roberts) [nodejs-private/node-private#199](https://github.com/nodejs-private/node-private/pull/199) + <a id="13.7.0"></a> ## 2020-01-21, Version 13.7.0 (Current), @codebytere diff --git a/src/node_version.h b/src/node_version.h index 2fc21b33d11..acfa5f18a49 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -23,13 +23,13 @@ #define SRC_NODE_VERSION_H_ #define NODE_MAJOR_VERSION 13 -#define NODE_MINOR_VERSION 7 -#define NODE_PATCH_VERSION 1 +#define NODE_MINOR_VERSION 8 +#define NODE_PATCH_VERSION 0 #define NODE_VERSION_IS_LTS 0 #define NODE_VERSION_LTS_CODENAME "" -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n) |