Linuxeden开源社区15 Sep September 2020 Security Releases
Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues.
Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
- CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
- [
2ea6d255f8] – deps: libuv: cherry-pick 0e6e8620 (cjihrig) nodejs-private/node-private#221 - [
65415049af] – deps: update llhttp to 2.1.2 (Fedor Indutny) nodejs-private/node-private#219 - [
edad52e243] – test: modify tests to support the latest llhttp (Fedor Indutny) nodejs-private/node-private#219
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8251: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical).
- CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
- [
57badcf93e] – deps: libuv: cherry-pick 0e6e8620 (Colin Ihrig) libuv/libuv#2966
转自 https://nodejs.org/en/blog/