From 31d3b6d9cbf6f533e7990fa1b7f82976bc384c64 Mon Sep 17 00:00:00 2001
From: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Date: Tue, 4 Feb 2020 21:17:22 +0000
Subject: 2020-02-06, Version 12.15.0 'Erbium' (LTS)

This is a security release.

Vulnerabilities fixed:
* **CVE-2019-15606**:
      HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
      HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
      Remotely trigger an assertion on a TLS server with a malformed
      certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.

PR-URL: https://github.com/nodejs-private/node-private/pull/197
---
 CHANGELOG.md                    |  3 ++-
 doc/api/cli.md                  |  2 +-
 doc/api/http.md                 |  4 ++--
 doc/changelogs/CHANGELOG_V12.md | 32 ++++++++++++++++++++++++++++++++
 src/node_version.h              |  6 +++---
 5 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ec16a2f3d8c..f02bdaae234 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,7 +28,8 @@ release.
 </tr>
 <tr>
     <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V12.md#12.14.1">12.14.1</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V12.md#12.15.0">12.15.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V12.md#12.14.1">12.14.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.14.0">12.14.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.13.1">12.13.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.13.0">12.13.0</a><br/>
diff --git a/doc/api/cli.md b/doc/api/cli.md
index b70845cffc2..eb53aed510e 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -422,7 +422,7 @@ Specify the `module` of a custom [experimental ECMAScript Module][] loader.
 
 ### `--insecure-http-parser`
 <!-- YAML
-added: REPLACEME
+added: v12.15.0
 -->
 
 Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow
diff --git a/doc/api/http.md b/doc/api/http.md
index d81c3a574bd..a02b1d6a08f 100644
--- a/doc/api/http.md
+++ b/doc/api/http.md
@@ -1917,7 +1917,7 @@ Found'`.
 <!-- YAML
 added: v0.1.13
 changes:
-  - version: REPLACEME
+  - version: v12.15.0
     pr-url: https://github.com/nodejs/node/pull/31448
     description: The `insecureHTTPParser` option is supported now.
   - version: v9.6.0, v8.12.0
@@ -2038,7 +2038,7 @@ Defaults to 8KB. Configurable using the [`--max-http-header-size`][] CLI option.
 <!-- YAML
 added: v0.3.6
 changes:
-  - version: REPLACEME
+  - version: v12.15.0
     pr-url: https://github.com/nodejs/node/pull/31448
     description: The `insecureHTTPParser` option is supported now.
   - version: v10.9.0
diff --git a/doc/changelogs/CHANGELOG_V12.md b/doc/changelogs/CHANGELOG_V12.md
index eda1917b42b..396a97095b6 100644
--- a/doc/changelogs/CHANGELOG_V12.md
+++ b/doc/changelogs/CHANGELOG_V12.md
@@ -10,6 +10,7 @@
 </tr>
 <tr>
 <td valign="top">
+<a href="#12.15.0">12.15.0</a><br/>
 <a href="#12.14.1">12.14.1</a><br/>
 <a href="#12.14.0">12.14.0</a><br/>
 <a href="#12.13.1">12.13.1</a><br/>
@@ -51,6 +52,37 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="12.15.0"></a>
+## 2020-02-06, Version 12.15.0 'Erbium' (LTS), @BethGriggs
+
+### Notable changes
+
+This is a security release.
+
+Vulnerabilities fixed:
+* **CVE-2019-15606**: HTTP header values do not have trailing OWS trimmed.
+* **CVE-2019-15605**: HTTP request smuggling using malformed Transfer-Encoding header.
+* **CVE-2019-15604**: Remotely trigger an assertion on a TLS server with a malformed certificate string.
+
+Also, HTTP parsing is more strict to be more secure. Since this may
+cause problems in interoperability with some non-conformant HTTP
+implementations, it is possible to disable the strict checks with the
+`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
+http option. Using the insecure HTTP parser should be avoided.
+
+### Commits
+
+* [[`209767c7a2`](https://github.com/nodejs/node/commit/209767c7a2)] - **benchmark**: support optional headers with wrk (Sam Roberts) [nodejs-private/node-private#189](https://github.com/nodejs-private/node-private/pull/189)
+* [[`02c8905051`](https://github.com/nodejs/node/commit/02c8905051)] - **crypto**: fix assertion caused by unsupported ext (Fedor Indutny) [nodejs-private/node-private#175](https://github.com/nodejs-private/node-private/pull/175)
+* [[`25d6011912`](https://github.com/nodejs/node/commit/25d6011912)] - **deps**: update llhttp to 2.0.4 (Beth Griggs) [nodejs-private/llhttp-private#1](https://github.com/nodejs-private/llhttp-private/pull/1)
+* [[`8162f0e194`](https://github.com/nodejs/node/commit/8162f0e194)] - **deps**: upgrade http-parser to v2.9.3 (Sam Roberts) [nodejs-private/http-parser-private#4](https://github.com/nodejs-private/http-parser-private/pull/4)
+* [[`d41314ef99`](https://github.com/nodejs/node/commit/d41314ef99)] - **(SEMVER-MINOR)** **deps**: upgrade http-parser to v2.9.1 (Sam Roberts) [#30473](https://github.com/nodejs/node/pull/30473)
+* [[`7fc565666c`](https://github.com/nodejs/node/commit/7fc565666c)] - **(SEMVER-MINOR)** **http**: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) [#31448](https://github.com/nodejs/node/pull/31448)
+* [[`496736ff78`](https://github.com/nodejs/node/commit/496736ff78)] - **(SEMVER-MINOR)** **http**: opt-in insecure HTTP header parsing (Sam Roberts) [#30567](https://github.com/nodejs/node/pull/30567)
+* [[`76fd8910e9`](https://github.com/nodejs/node/commit/76fd8910e9)] - **http**: strip trailing OWS from header values (Sam Roberts) [nodejs-private/node-private#189](https://github.com/nodejs-private/node-private/pull/189)
+* [[`9cd155eb4a`](https://github.com/nodejs/node/commit/9cd155eb4a)] - **test**: using TE to smuggle reqs is not possible (Sam Roberts) [nodejs-private/node-private#192](https://github.com/nodejs-private/node-private/pull/192)
+* [[`ab1fcb89cb`](https://github.com/nodejs/node/commit/ab1fcb89cb)] - **test**: check that --insecure-http-parser works (Sam Roberts) [#31253](https://github.com/nodejs/node/pull/31253)
+
 <a id="12.14.1"></a>
 ## 2020-01-07, Version 12.14.1 'Erbium' (LTS), @BethGriggs
 
diff --git a/src/node_version.h b/src/node_version.h
index 240237ee75e..e5205bb303f 100644
--- a/src/node_version.h
+++ b/src/node_version.h
@@ -23,13 +23,13 @@
 #define SRC_NODE_VERSION_H_
 
 #define NODE_MAJOR_VERSION 12
-#define NODE_MINOR_VERSION 14
-#define NODE_PATCH_VERSION 2
+#define NODE_MINOR_VERSION 15
+#define NODE_PATCH_VERSION 0
 
 #define NODE_VERSION_IS_LTS 1
 #define NODE_VERSION_LTS_CODENAME "Erbium"
 
-#define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_RELEASE 1
 
 #ifndef NODE_STRINGIFY
 #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)
-- 
cgit v1.2.3