From 5ba7df3c4b81ab695029dacf34a0aa960be71372 Mon Sep 17 00:00:00 2001 From: Beth Griggs Date: Wed, 5 Feb 2020 00:44:37 +0000 Subject: 2020-02-06, Version 10.19.0 'Dubnium' (LTS) This is a security release. Vulnerabilities fixed: * **CVE-2019-15606**: HTTP header values do not have trailing OWS trimmed. * **CVE-2019-15605**: HTTP request smuggling using malformed Transfer-Encoding header. * **CVE-2019-15604**: Remotely trigger an assertion on a TLS server with a malformed certificate string. Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the `--insecure-http-parser` command line flag, or the `insecureHTTPParser` http option. Using the insecure HTTP parser should be avoided. PR-URL: https://github.com/nodejs-private/node-private/pull/198 --- CHANGELOG.md | 3 ++- doc/api/cli.md | 2 +- doc/api/http.md | 4 ++-- doc/changelogs/CHANGELOG_V10.md | 30 ++++++++++++++++++++++++++++++ src/node_version.h | 6 +++--- 5 files changed, 38 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f7d1c7d3e20..dff504dfe01 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,7 +33,8 @@ release. 12.0.0
-10.18.1
+10.19.0
+10.18.1
10.18.0
10.17.0
10.16.3
diff --git a/doc/api/cli.md b/doc/api/cli.md index 2f946c2aea3..c322ed55104 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -183,7 +183,7 @@ Specify the `file` of the custom [experimental ECMAScript Module][] loader. ### `--insecure-http-parser` Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow diff --git a/doc/api/http.md b/doc/api/http.md index 115540b1020..1fe01915d68 100644 --- a/doc/api/http.md +++ b/doc/api/http.md @@ -1830,7 +1830,7 @@ Found'`.