Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Node.js to v10.24.1 #255

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update Node.js to v10.24.1 #255

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 18, 2020

Mend Renovate

This PR contains the following updates:

Package Update Change
node minor v10.5.0 -> 10.24.1

Release Notes

nodejs/node

v10.24.1: 2021-04-06, Version 10.24.1 'Dubnium' (LTS), @​mylesborins

Compare Source

This is a security release.

Notable Changes

Vulerabilties fixed:

  • CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
  • CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
  • CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
    • This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in GHSA-c4w7-xm78-47vh
    • Impacts:
      • All versions of the 14.x, 12.x and 10.x releases lines
Commits

v10.24.0: 2021-02-23, Version 10.24.0 'Dubnium' (LTS), @​richardlau

Compare Source

This is a security release.

Notable changes

Vulnerabilities fixed:

  • CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
    • Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
  • CVE-2021-22884: DNS rebinding in --inspect
    • Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
  • CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
Commits

v10.23.3: 2021-02-09, Version 10.23.3 'Dubnium' (LTS), @​richardlau

Compare Source

Notable changes

The update to npm 6.14.11 has been relanded so that npm correctly reports its version.

Commits

v10.23.2: 2021-01-26, Version 10.23.2 'Dubnium' (LTS), @​richardlau

Compare Source

Notable changes

Release keys have been synchronized with the main branch.

  • deps:
    • upgrade npm to 6.14.11 (Darcy Clarke) #​36838
Commits

v10.23.1: 2021-01-04, Version 10.23.1 'Dubnium' (LTS), @​richardlau

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2020-8265: use-after-free in TLSWrap (High)
    Affected Node.js versions are vulnerable to a use-after-free bug in its
    TLS implementation. When writing to a TLS enabled socket,
    node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
    allocated WriteWrap object as first argument. If the DoWrite method does
    not return an error, this object is passed back to the caller as part of
    a StreamWriteResult structure. This may be exploited to corrupt memory
    leading to a Denial of Service or potentially other exploits
  • CVE-2020-8287: HTTP Request Smuggling in nodejs
    Affected versions of Node.js allow two copies of a header field in a
    http request. For example, two Transfer-Encoding header fields. In this
    case Node.js identifies the first header field and ignores the second.
    This can lead to HTTP Request Smuggling
    (https://cwe.mitre.org/data/definitions/444.html).
  • CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
    This is a vulnerability in OpenSSL which may be exploited through Node.js.
    You can read more about it in
    https://www.openssl.org/news/secadv/20201208.txt
Commits

v10.23.0: 2020-10-27, Version 10.23.0 'Dubnium' (LTS), @​richardlau

Compare Source

Notable changes
  • deps:
    • upgrade npm to 6.14.8 (Ruy Adorno) #​34834
  • n-api:
    • create N-API version 7 (Gabriel Schulhof) #​35199
    • expose napi_build_version variable (NickNaso) #​27835
  • tools:
    • add debug entitlements for macOS 10.15+ (Gabriele Greco) #​34378
Commits

v10.22.1: 2020-09-15, Version 10.22.1 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
Commits

v10.22.0: 2020-07-21, Version 10.22.0 'Dubnium' (LTS), @​BethGriggs prepared by @​richardlau

Compare Source

Notable changes
  • deps:
    • upgrade npm to 6.14.6 (claudiahdz) #​34246
    • upgrade openssl sources to 1.1.1g (Hassaan Pasha) #​32982
  • n-api:
    • add napi_detach_arraybuffer (legendecas) #​29768
Commits

v10.21.0: 2020-06-02, Version 10.21.0 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
  • CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append (High).
  • CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
Commits

v10.20.1: 2020-04-12, Version 10.20.1 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes

Due to release process failures, Node.js v10.20.0 shipped with source
and header tarballs that did not properly match the final release
commit that was used to build the binaries. We recommend that Node.js
v10.20.0 not be used, particularly in any applications using native
add-ons or where compiling Node.js from source is involved.

Node.js v10.20.1 is a clean release with the correct sources and is
strongly recommended in place of v10.20.0.

v10.20.0: 2020-04-08, Version 10.20.0 'Dubnium' (LTS), @​BethGriggs

Compare Source

macOS package notarization and a change in builder configuration

The macOS binaries for this release, and future 10.x releases, are now
being compiled on macOS 10.15 (Catalina) with Xcode 11 to support
package notarization, a requirement for installing .pkg files on macOS
10.15 and later. Previous builds of Node.js 10.x were compiled on macOS
10.10 (Yosemite) with a minimum deployment target of macOS 10.7 (Lion).
As binaries are still being compiled to support a minimum of macOS 10.7
(Lion) we do not anticipate this having a negative impact on Node.js
10.x users with older versions of macOS.

Notable changes
  • buffer: add {read|write}Big[U]Int64{BE|LE} methods (garygsc) #​19691
  • build: macOS package notarization (Rod Vagg) #​31459
  • deps:
    • update npm to 6.14.3 (Myles Borins) #​32368
    • upgrade openssl sources to 1.1.1e (Hassaan Pasha) #​32328
    • upgrade to libuv 1.34.2 (cjihrig) #​31477
  • n-api:
    • add napi_get_all_property_names (himself65) #​30006
    • add APIs for per-instance state management (Gabriel Schulhof) #​28682
    • define release 6 #​32058
    • turn NAPI_CALL_INTO_MODULE into a function (Anna Henningsen) #​26128
  • tls:
    • expose keylog event on TLSSocket (Alba Mendez) #​27654
    • support TLS min/max protocol defaults in CLI (Sam Roberts) #​27946
  • url: handle quasi-WHATWG URLs in urlToOptions() (cjihrig) #​26226
Commits

v10.19.0: 2020-02-06, Version 10.19.0 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
  • CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
  • CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
--insecure-http-parser command line flag, or the insecureHTTPParser
http option. Using the insecure HTTP parser should be avoided.

Commits

v10.18.1: 2020-01-09, Version 10.18.1 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes
  • http2: fix session memory accounting after pausing (Michael Lehenbauer) #​30684
  • n-api: correct bug in napi_get_last_error (Octavian Soldea) #​28702
  • tools: update tzdata to 2019c (Myles Borins) #​30479
Commits

v10.18.0: 2019-12-17, Version 10.18.0 'Dubnium' (LTS), @​MylesBorins

Compare Source

This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable changes
Commits

v10.17.0: 2019-10-22, Version 10.17.0 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes
  • crypto:
    • add support for chacha20-poly1305 for AEAD (chux0519) #​24081
    • increase maxmem range from 32 to 53 bits (Tobias Nießen) #​28799
  • deps:
    • update npm to 6.11.3 (claudiahdz) #​29430
    • upgrade openssl sources to 1.1.1d (Sam Roberts) #​29921
  • dns: remove dns.promises experimental warning (cjihrig) #​26592
  • fs: remove experimental warning for fs.promises (Anna Henningsen) #​26581
  • http: makes response.writeHead return the response (Mark S. Everitt) #​25974
  • http2: makes response.writeHead return the response (Mark S. Everitt) #​25974
  • n-api:
    • make func argument of napi_create_threadsafe_function optional (legendecas) #​27791
    • mark version 5 N-APIs as stable (Gabriel Schulhof) #​29401
    • implement date object (Jarrod Connolly) #​25917
  • process: add --unhandled-rejections flag (Ruben Bridgewater) #​26599
  • stream:
    • implement Readable.from async iterator utility (Guy Bedford) #​27660
    • make Symbol.asyncIterator support stable (Matteo Collina) #​26989
Commits

v10.16.3: 2019-08-15, Version 10.16.3 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes

This is a security release.

Node.js, as well as many other implementations of HTTP/2, have been found
vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

  • CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
  • CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
  • CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
  • CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
  • CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)
Commits

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/node-10.x branch from 223b194 to 507da7f Compare April 25, 2020 22:11
@renovate renovate bot changed the title Update Node.js to v10.19.0 Update Node.js to v10.20.1 Apr 25, 2020
@renovate renovate bot force-pushed the renovate/node-10.x branch from 507da7f to b2632ef Compare June 2, 2020 19:58
@renovate renovate bot changed the title Update Node.js to v10.20.1 Update Node.js to v10.21.0 Jun 2, 2020
@renovate renovate bot force-pushed the renovate/node-10.x branch from b2632ef to fe57197 Compare July 21, 2020 16:36
@renovate renovate bot changed the title Update Node.js to v10.21.0 Update Node.js to v10.22.0 Jul 21, 2020
@renovate renovate bot force-pushed the renovate/node-10.x branch from fe57197 to ac919c0 Compare September 15, 2020 21:19
@renovate renovate bot changed the title Update Node.js to v10.22.0 Update Node.js to v10.22.1 Sep 15, 2020
@renovate renovate bot force-pushed the renovate/node-10.x branch from ac919c0 to a1ad25b Compare October 27, 2020 16:23
@renovate renovate bot changed the title Update Node.js to v10.22.1 Update Node.js to v10.23.0 Oct 27, 2020
@renovate renovate bot force-pushed the renovate/node-10.x branch from a1ad25b to e1aadb2 Compare January 7, 2021 04:58
@renovate renovate bot changed the title Update Node.js to v10.23.0 Update Node.js to v10.23.1 Jan 7, 2021
@renovate renovate bot force-pushed the renovate/node-10.x branch from e1aadb2 to b3aa7b6 Compare January 30, 2021 15:59
@renovate renovate bot changed the title Update Node.js to v10.23.1 Update Node.js to v10.23.2 Jan 30, 2021
@renovate renovate bot force-pushed the renovate/node-10.x branch from b3aa7b6 to 83400ff Compare February 10, 2021 14:51
@renovate renovate bot changed the title Update Node.js to v10.23.2 Update Node.js to v10.23.3 Feb 10, 2021
@renovate renovate bot force-pushed the renovate/node-10.x branch from 83400ff to 5d07af2 Compare February 23, 2021 13:07
@renovate renovate bot changed the title Update Node.js to v10.23.3 Update Node.js to v10.24.0 Feb 23, 2021
@renovate renovate bot force-pushed the renovate/node-10.x branch from 5d07af2 to b12b3e5 Compare April 6, 2021 21:05
@renovate renovate bot changed the title Update Node.js to v10.24.0 Update Node.js to v10.24.1 Apr 6, 2021
@renovate
Copy link
Contributor Author

renovate bot commented Mar 24, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant