Subject: CVS commit: pkgsrc/lang/nodejs10
From: Adam Ciarcinski
Date: 2021-01-05 09:35:36
Message id: 20210105083536.AB810FA9D@cvs.NetBSD.org

Log Message:
nodejs10: updated to 10.23.1

Version 10.23.1 'Dubnium' (LTS)

Notable changes

This is a security release.

Vulnerabilities fixed:

CVE-2020-8265: use-after-free in TLSWrap (High) Affected Node.js versions are \ 
vulnerable to a use-after-free bug in its TLS implementation. When writing to a \ 
TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a \ 
freshly allocated WriteWrap object as first argument. If the DoWrite method does \ 
not return an error, this object is passed back to the caller as part of a \ 
StreamWriteResult structure. This may be exploited to corrupt memory leading to \ 
a Denial of Service or potentially other exploits
CVE-2020-8287: HTTP Request Smuggling in nodejs Affected versions of Node.js \ 
allow two copies of a header field in a http request. For example, two \ 
Transfer-Encoding header fields. In this case Node.js identifies the first \ 
header field and ignores the second. This can lead to HTTP Request Smuggling \ 
(https://cwe.mitre.org/data/definitions/444.html).
CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) This is a \ 
vulnerability in OpenSSL which may be exploited through Node.js. You can read \ 
more about it in https://www.openssl.org/news/secadv/20201208.txt

Files:
RevisionActionfile
1.19modifypkgsrc/lang/nodejs10/Makefile
1.11modifypkgsrc/lang/nodejs10/distinfo