Next | Query returned 49 messages, browsing 11 to 20 | Previous

History of commit frequency

CVS Commit History:


   2021-10-07 16:21:17 by Nia Alarie | Files touched by this commit (282)
Log message:
lang: Remove SHA1 hashes for distfiles
   2021-09-29 21:01:31 by Adam Ciarcinski | Files touched by this commit (872)
Log message:
revbump for boost-libs
   2021-09-17 22:07:15 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
nodejs12: updated to 12.22.6

Version 12.22.6 'Erbium' (LTS)

This is a security release.

Notable Changes

These are vulnerabilities in the node-tar, arborist, and npm cli modules which \ 
are related to the initial reports and subsequent remediation of node-tar \ 
vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security \ 
review of node-tar and additional external bounty reports have resulted in \ 
another 5 CVE being remediated in core npm CLI dependencies including node-tar, \ 
and npm arborist.

Version 12.22.5 'Erbium' (LTS)

This is a security release.

Notable Changes

CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in \ 
domain names (High)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to \ 
missing input validation of hostnames returned by Domain Name Servers in the \ 
Node.js DNS library which can lead to the output of wrong hostnames (leading to \ 
Domain Hijacking) and injection vulnerabilities in applications using the \ 
library. You can read more about it at \ 
https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js was vulnerable to a use after free attack where an attacker might be \ 
able to exploit memory corruption to change process behavior. This release \ 
includes a follow-up fix for CVE-2021-22930 as the issue was not completely \ 
resolved by the previous fix. You can read more about it at \ 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
If the Node.js HTTPS API was used incorrectly and "undefined" was in \ 
passed for the "rejectUnauthorized" parameter, no error was returned \ 
and connections to servers with an expired certificate would have been accepted. \ 
You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.

Version 12.22.4 'Erbium' (LTS)

This is a security release.

Notable Changes

CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js is vulnerable to a use after free attack where an attacker might be able \ 
to exploit the memory corruption, to change process behavior. You can read more \ 
about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930
   2021-07-06 09:04:11 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
nodejs12: updated to 12.22.3

Version 12.22.3 'Erbium' (LTS)

Notable Changes

Node.js 12.22.2 introduced a regression in the Windows installer on non-English \ 
locales that is being fixed in this release. There is no need to download this \ 
release if you are not using the Windows installer.

Version 12.22.2 'Erbium' (LTS)

This is a security release.

Notable Changes

Vulnerabilities fixed:

CVE-2021-22918: libuv upgrade - Out of bounds read (Medium)
Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() \ 
function which is used to convert strings to ASCII. This is called by Node's dns \ 
module's lookup() function and can lead to information disclosures or crashes. \ 
You can read more about it in \ 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918

CVE-2021-22921: Windows installer - Node Installer Local Privilege Escalation \ 
(Medium)
Node.js is vulnerable to local privilege escalation attacks under certain \ 
conditions on Windows platforms. More specifically, improper configuration of \ 
permissions in the installation directory allows an attacker to perform two \ 
different escalation attacks: PATH and DLL hijacking. You can read more about it \ 
in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921

CVE-2021-27290: npm upgrade - ssri Regular Expression Denial of Service (ReDoS) \ 
(High)
This is a vulnerability in the ssri npm mudule which may be vulnerable to denial \ 
of service attacks. You can read more about it in \ 
https://github.com/advisories/GHSA-vx3p-948g-6vhq

CVE-2021-23362: npm upgrade - hosted-git-info Regular Expression Denial of \ 
Service (ReDoS) (Medium)
This is a vulnerability in the hosted-git-info npm mudule which may be \ 
vulnerable to denial of service attacks. You can read more about it in \ 
https://nvd.nist.gov/vuln/detail/CVE-2021-23362
   2021-06-24 11:31:26 by Adam Ciarcinski | Files touched by this commit (1)
Log message:
nodejs12: use external brotli; bump revision
   2021-04-21 13:43:04 by Adam Ciarcinski | Files touched by this commit (1822)
Log message:
revbump for textproc/icu
   2021-04-07 08:21:06 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
nodejs12: updated to 12.22.1

Version 12.22.1 'Erbium' (LTS)

This is a security release.

Notable Changes

Vulnerabilities fixed:

CVE-2021-3450: OpenSSL - CA certificate check bypass with \ 
X509_V_FLAG_X509_STRICT (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You \ 
can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines

CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You \ 
can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines

CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
This is a vulnerability in the y18n npm module which may be exploited by \ 
prototype pollution. You can read more about it in \ 
https://github.com/advisories/GHSA-c4w7-xm78-47vh
Impacts:
All versions of the 14.x, 12.x and 10.x releases lines

Version 12.22.0 'Erbium' (LTS)

Notable changes

The legacy HTTP parser is runtime deprecated

The legacy HTTP parser, selected by the --http-parser=legacy command line \ 
option, is deprecated with the pending End-of-Life of Node.js 10.x (where it is \ 
the only HTTP parser implementation provided) at the end of April 2021. It will \ 
now warn on use but otherwise continue to function and may be removed in a \ 
future Node.js 12.x release.

The default HTTP parser based on llhttp is not affected. By default it is \ 
stricter than the now deprecated legacy HTTP parser. If interoperability with \ 
HTTP implementations that send invalid HTTP headers is required, the HTTP parser \ 
can be started in a less secure mode with the --insecure-http-parser command \ 
line option.

ES Modules

ES Modules are now considered stable.

node-api

Updated to node-api version 8 and added an experimental API to allow retrieval \ 
of the add-on file name.

New API's to control code coverage data collection

v8.stopCoverage() and v8.takeCoverage() have been added.

New API to monitor event loop utilization by Worker threads

worker.performance.eventLoopUtilization() has been added.
   2021-02-24 12:10:12 by Adam Ciarcinski | Files touched by this commit (4)
Log message:
nodejs10/12: switch to .tar.xz
   2021-02-24 12:05:28 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
nodejs12: updated to 12.21.0

Version 12.21.0 'Erbium' (LTS)

This is a security release.

Notable changes

Vulnerabilities fixed:

CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource \ 
exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too \ 
many connection attempts with an 'unknownProtocol' are established. This leads \ 
to a leak of file descriptors. If a file descriptor limit is configured on the \ 
system, then the server is unable to accept new connections and prevent the \ 
process also from opening, e.g. a file. If no file descriptor limit is \ 
configured, then this lead to an excessive memory usage and cause the system to \ 
run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the \ 
whitelist includes “localhost6”. When “localhost6” is not present in \ 
/etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over \ 
network. If the attacker controls the victim's DNS server or can spoof its \ 
responses, the DNS rebinding protection can be bypassed by using the \ 
“localhost6” domain. As long as the attacker uses the “localhost6” \ 
domain, they can still apply the attack described in CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js. You \ 
can read more about it in https://www.openssl.org/news/secadv/20210216.txt
   2021-02-15 11:21:43 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
nodejs12: updated to 12.20.2

Version 12.20.2 'Erbium' (LTS)

Notable changes

deps:
upgrade npm to 6.14.11

Next | Query returned 49 messages, browsing 11 to 20 | Previous