diff options
author | Richard Lau <rlau@redhat.com> | 2022-01-07 15:40:06 +0300 |
---|---|---|
committer | Richard Lau <rlau@redhat.com> | 2022-01-11 01:49:12 +0300 |
commit | 92e1abd541eb3bf5f01cb68bffbe96f79811db55 (patch) | |
tree | d3d4696b252ce094a14e0d799012670ceaceacc7 /CHANGELOG.md | |
parent | 3454e797137b1706b11ff2f6f7fb60263b39396b (diff) |
2022-01-10, Version 12.22.9 'Erbium' (LTS)
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/309
Diffstat (limited to 'CHANGELOG.md')
-rw-r--r-- | CHANGELOG.md | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 498e93dc39f..d7d2fee01bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -100,7 +100,8 @@ release. <a href="doc/changelogs/CHANGELOG_V14.md#14.0.0">14.0.0</a><br/> </td> <td valign="top"> -<b><a href="doc/changelogs/CHANGELOG_V12.md#12.22.8">12.22.8</a></b><br/> +<b><a href="doc/changelogs/CHANGELOG_V12.md#12.22.9">12.22.9</a></b><br/> +<a href="doc/changelogs/CHANGELOG_V12.md#12.22.8">12.22.8</a><br/> <a href="doc/changelogs/CHANGELOG_V12.md#12.22.7">12.22.7</a><br/> <a href="doc/changelogs/CHANGELOG_V12.md#12.22.6">12.22.6</a><br/> <a href="doc/changelogs/CHANGELOG_V12.md#12.22.5">12.22.5</a><br/> |