2022-01-10, Version 17.3.1 (Current)v17.3.1

This is a security release. Notable changes: Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) - Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly. - Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the `--security-revert` command-line option. - More details will be available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531 Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532) - Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints. - Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the `--security-revert` command-line option. - More details will be available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532 Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533) - Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification. - Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable. - More details will be available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533 Prototype pollution via `console.table` properties (Low)(CVE-2022-21824) - Due to the formatting logic of the `console.table()` function it was not safe to allow user controlled input to be passed to the `properties` parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be `__proto__`. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype. - Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to. - More details will be available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824 PR-URL: https://github.com/nodejs-private/node-private/pull/311
author: Beth Griggs <bgriggs@redhat.com> 2022-01-08 04:38:03 +0300
committer: Beth Griggs <bgriggs@redhat.com> 2022-01-10 19:00:06 +0300
commit: e4f326669a3f98a8804dde23eee6d8403f0a99f1 (patch)
tree: 0fc36a534b574cf7cf1ccb52f8e9efe0d58ec744
parent: df3141f59b336314215569aa471c551c1386ac09 (diff)
5 files changed, 58 insertions, 5 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2f774ae5aaf..bcefce214b1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,7 +33,8 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V17.md#17.3.0">17.3.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V17.md#17.3.1">17.3.1</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V17.md#17.3.0">17.3.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V17.md#17.2.0">17.2.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V17.md#17.1.0">17.1.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V17.md#17.0.1">17.0.1</a><br/>
diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index e10bf1124c9..c837c4435bd 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -2579,7 +2579,7 @@ The SHA-512 fingerprint of this certificate.
 <!-- YAML
 added: v15.6.0
 changes:
-  - version: REPLACEME
+  - version: v17.3.1
     pr-url: https://github.com/nodejs-private/node-private/pull/300
     description: Parts of this string may be encoded as JSON string literals
                  in response to CVE-2021-44532.
@@ -2676,7 +2676,7 @@ The complete subject of this certificate.
 <!-- YAML
 added: v15.6.0
 changes:
-  - version: REPLACEME
+  - version: v17.3.1
     pr-url: https://github.com/nodejs-private/node-private/pull/300
     description: Parts of this string may be encoded as JSON string literals
                  in response to CVE-2021-44532.
diff --git a/doc/api/tls.md b/doc/api/tls.md
index cdd678c56e8..9545e08b9fb 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -1461,7 +1461,7 @@ decrease overall server throughput.
 <!-- YAML
 added: v0.8.4
 changes:
-  - version: REPLACEME
+  - version: v17.3.1
     pr-url: https://github.com/nodejs-private/node-private/pull/300
     description: Support for `uniformResourceIdentifier` subject alternative
                  names has been disabled in response to CVE-2021-44531.
diff --git a/doc/changelogs/CHANGELOG_V17.md b/doc/changelogs/CHANGELOG_V17.md
index 35a2090e810..664c330a6cb 100644
--- a/doc/changelogs/CHANGELOG_V17.md
+++ b/doc/changelogs/CHANGELOG_V17.md
@@ -8,6 +8,7 @@
 </tr>
 <tr>
 <td>
+<a href="#17.3.1">17.3.1</a><br/>
 <a href="#17.3.0">17.3.0</a><br/>
 <a href="#17.2.0">17.2.0</a><br/>
 <a href="#17.1.0">17.1.0</a><br/>
@@ -36,6 +37,57 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="17.3.1"></a>
+
+## 2022-01-10, Version 17.3.1 (Current), @BethGriggs
+
+This is a security release.
+
+### Notable changes
+
+#### Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
+
+Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.
+
+Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the `--security-revert` command-line option.
+
+More details will be available at [CVE-2021-44531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531) after publication.
+
+#### Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
+
+Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.
+
+Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the `--security-revert` command-line option.
+
+More details will be available at [CVE-2021-44532](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532) after publication.
+
+#### Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
+
+Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.
+
+Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.
+
+More details will be available at [CVE-2021-44533](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533) after publication.
+
+#### Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
+
+Due to the formatting logic of the `console.table()` function it was not safe to allow user controlled input to be passed to the `properties` parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be `__proto__`. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype.
+
+Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.
+
+More details will be available at [CVE-2022-21824](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824) after publication.
+
+Thanks to Patrik Oldsberg (rugvip) for reporting this vulnerability.
+
+### Commits
+
+* \[[`2a0515f73c`](https://github.com/nodejs/node/commit/2a0515f73c)] - **console**: fix prototype pollution via console.table (Tobias Nießen) [nodejs-private/node-private#307](https://github.com/nodejs-private/node-private/pull/307)
+* \[[`2e2c45553d`](https://github.com/nodejs/node/commit/2e2c45553d)] - **crypto,tls**: implement safe x509 GeneralName format (Tobias Nießen) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300)
+* \[[`df3141f59b`](https://github.com/nodejs/node/commit/df3141f59b)] - **src**: add cve reverts and associated tests (Michael Dawson) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300)
+* \[[`5398548746`](https://github.com/nodejs/node/commit/5398548746)] - **src**: remove unused x509 functions (Tobias Nießen) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300)
+* \[[`1f7fdff64a`](https://github.com/nodejs/node/commit/1f7fdff64a)] - **tls**: fix handling of x509 subject and issuer (Tobias Nießen) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300)
+* \[[`b11b4cc69d`](https://github.com/nodejs/node/commit/b11b4cc69d)] - **tls**: drop support for URI alternative names (Tobias Nießen) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300)
+
 <a id="17.3.0"></a>
 
 ## 2021-12-17, Version 17.3.0 (Current), @danielleadams
diff --git a/src/node_version.h b/src/node_version.h
index 5cc8eb89aa7..86a90ef80d6 100644
--- a/src/node_version.h
+++ b/src/node_version.h
@@ -29,7 +29,7 @@
 #define NODE_VERSION_IS_LTS 0
 #define NODE_VERSION_LTS_CODENAME ""
 
-#define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_RELEASE 1
 
 #ifndef NODE_STRINGIFY
 #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)
author	Beth Griggs <bgriggs@redhat.com>	2022-01-08 04:38:03 +0300
committer	Beth Griggs <bgriggs@redhat.com>	2022-01-10 19:00:06 +0300
commit	e4f326669a3f98a8804dde23eee6d8403f0a99f1 (patch)
tree	0fc36a534b574cf7cf1ccb52f8e9efe0d58ec744
parent	df3141f59b336314215569aa471c551c1386ac09 (diff)