#14704: node.js-14.16.0
-------------------------+------------------------
Reporter: bdubbs | Owner: blfs-book
Type: enhancement | Status: new
Priority: elevated | Milestone: 10.2
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Keywords: |
-------------------------+------------------------
Changes (by renodr):
* priority: normal => elevated
Comment:
Three security fixes.
Not sure if we want to backport this or not, the only dependents are
Thunderbird and Firefox.
{{{
2021-02-23, Version 14.16.0 'Fermium' (LTS), @BethGriggs
This is a security release.
Notable changes
Vulnerabilities fixed:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion
Affected Node.js versions are vulnerable to denial of service
attacks when too many connection attempts with an 'unknownProtocol' are
established. This leads to a leak of file descriptors. If a file
descriptor limit is configured on the system, then the server is unable to
accept new connections and prevent the process also from opening, e.g. a
file. If no file descriptor limit is configured, then this lead to an
excessive memory usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service
attacks when the whitelist includes “localhost6”. When “localhost6” is not
present in /etc/hosts, it is just an ordinary domain that is resolved via
DNS, i.e., over network. If the attacker controls the victim's DNS server
or can spoof its responses, the DNS rebinding protection can be bypassed
by using the “localhost6” domain. As long as the attacker uses the
“localhost6” domain, they can still apply the attack described in
CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through
Node.js. You can read more about it in
https://www.openssl.org/news/secadv/20210216.txt
Commits
[313d26800c] - deps: update archs files for OpenSSL-1.1.1j (Daniel
Bevenius) #37412
[6098012b48] - deps: upgrade openssl sources to 1.1.1j (Daniel
Bevenius) #37412
[afea10b097] - (SEMVER-MINOR) http2: add unknownProtocol timeout
(Daniel Bevenius) nodejs-private/node-private#246
[1ca3f5abcb] - src: drop localhost6 as allowed host for inspector
(Matteo Collina) nodejs-private/node-private#244
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/14704#comment:1>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
