2021-01-04, Version 12.20.1 'Erbium' (LTS)

Notable changes:

This is a security release.

Vulnerabilities fixed:

- CVE-2020-8265: use-after-free in TLSWrap (High)
Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller
as part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits
- CVE-2020-8287: HTTP Request Smuggling in nodejs
Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields.
In this case Node.js identifies the first header field and ignores
the second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
- CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt

PR-URL: https://github.com/nodejs-private/node-private/pull/240

1 files changed, 2 insertions, 1 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fd9451d21ca..32e8c986f92 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -67,7 +67,8 @@ release.
 <a href="doc/changelogs/CHANGELOG_V14.md#14.0.0">14.0.0</a><br/>
     </td>
     <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V12.md#12.20.0">12.20.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V12.md#12.20.1">12.20.1</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V12.md#12.20.0">12.20.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.19.1">12.19.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.19.0">12.19.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.18.4">12.18.4</a><br/>