Path to this page:
Subject: CVS commit: pkgsrc/lang/nodejs
From: Adam Ciarcinski
Date: 2021-09-17 22:08:23
Message id: 20210917200823.3E5D8FA97@cvs.NetBSD.org
Log Message:
nodejs: updated to 14.17.6
Version 14.17.6 'Fermium' (LTS)
This is a security release.
Notable Changes
These are vulnerabilities in the node-tar, arborist, and npm cli modules which \
are related to the initial reports and subsequent remediation of node-tar \
vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security \
review of node-tar and additional external bounty reports have resulted in \
another 5 CVE being remediated in core npm CLI dependencies including node-tar, \
and npm arborist.
Version 14.17.5 'Fermium' (LTS)
This is a security release.
Notable Changes
CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in \
domain names (High)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to \
missing input validation of hostnames returned by Domain Name Servers in the \
Node.js DNS library which can lead to the output of wrong hostnames (leading to \
Domain Hijacking) and injection vulnerabilities in applications using the \
library. You can read more about it at \
https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js was vulnerable to a use after free attack where an attacker might be \
able to exploit memory corruption to change process behavior. This release \
includes a follow-up fix for CVE-2021-22930 as the issue was not completely \
resolved by the previous fix. You can read more about it at \
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
If the Node.js HTTPS API was used incorrectly and "undefined" was in \
passed for the "rejectUnauthorized" parameter, no error was returned \
and connections to servers with an expired certificate would have been accepted. \
You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.
Files: