Version 12.22.1 'Erbium' (LTS)
This is a security release.
Notable Changes
Vulnerabilities fixed:
CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
Impacts:
All versions of the 14.x, 12.x and 10.x releases lines
Version 12.22.0 'Erbium' (LTS)
Notable changes
The legacy HTTP parser is runtime deprecated
The legacy HTTP parser, selected by the --http-parser=legacy command line option, is deprecated with the pending End-of-Life of Node.js 10.x (where it is the only HTTP parser implementation provided) at the end of April 2021. It will now warn on use but otherwise continue to function and may be removed in a future Node.js 12.x release.
The default HTTP parser based on llhttp is not affected. By default it is stricter than the now deprecated legacy HTTP parser. If interoperability with HTTP implementations that send invalid HTTP headers is required, the HTTP parser can be started in a less secure mode with the --insecure-http-parser command line option.
ES Modules
ES Modules are now considered stable.
node-api
Updated to node-api version 8 and added an experimental API to allow retrieval of the add-on file name.
New API's to control code coverage data collection
v8.stopCoverage() and v8.takeCoverage() have been added.
New API to monitor event loop utilization by Worker threads
worker.performance.eventLoopUtilization() has been added.
Version 12.21.0 'Erbium' (LTS)
This is a security release.
Notable changes
Vulnerabilities fixed:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
Version 12.20.1 'Erbium' (LTS)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8265: use-after-free in TLSWrap (High) Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits
CVE-2020-8287: HTTP Request Smuggling in nodejs Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html).
CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt
Version 12.12.0 (Current)
Notable changes
build:
Add --force-context-aware flag to prevent usage of native node addons that aren't context aware
deprecations:
Add documentation-only deprecation for process._tickCallback()
esm:
Using JSON modules is experimental again
fs:
Introduce opendir() and fs.Dir to iterate through directories
process:
Add source-map support to stack traces by using --enable-source-maps
tls:
Honor pauseOnConnect option
Add option for private keys for OpenSSL engines
Version 12.19.1 'Erbium' (LTS)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8277: Denial of Service through DNS request (High). A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service by getting the application to resolve a DNS record with a larger number of responses.
Version 12.18.4 'Erbium' (LTS)
Notable Changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
Version 12.18.2 'Erbium' (LTS)
Notable changes
deps: V8: backport
Fixes memory leak in PrototypeUsers::Add
src: use symbol to store AsyncWrap resource
Fixes reported memory leak
Version 12.18.1 'Erbium' (LTS)
Notable Changes
deps:
V8: cherry-pick
update to uvwasi 0.0.9
upgrade to libuv 1.38.0
upgrade npm to 6.14.5
Version 12.18.0 'Erbium' (LTS)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
Commits
- crypto: update root certificates
- (SEMVER-MINOR) deps: update nghttp2 to 1.41.0
- (SEMVER-MINOR) http2: implement support for max settings entries
- napi: fix memory corruption vulnerability
- tls: emit session after verifying certificate
- tools: update certdata.txt
Version 12.16.3 'Erbium' (LTS), @targos
Notable Changes
Dependencies:
Updated OpenSSL to 1.1.1g
Updated c-ares to 1.16.0
Updated experimental uvwasi to 0.0.6
ESM (experimental):
Additional warnings are no longer printed for modules that use conditional exports or package name self resolution
Version 12.16.2 'Erbium' (LTS)
Notable Changes
doc:
add ronag to collaborators
add GeoffreyBooth to collaborators
deps:
upgrade npm to 6.13.6
update openssl to 1.1.1e
Version 12.16.1 'Erbium' (LTS):
Node.js 12.16.0 included 6 regressions that are being fixed in this release
Version 12.16.0 'Erbium' (LTS):
New assert APIs
Advanced serialization for IPC
CLI flags
New crypto APIs
Dependency updates
Version 12.15.0 'Erbium' (LTS):
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the --insecure-http-parser command line flag, or the insecureHTTPParser http option. Using the insecure HTTP parser should be avoided.
Version 12.14.1 'Erbium' (LTS):
Notable changes
* crypto: fix key requirements in asymmetric cipher
* deps:
- update llhttp to 2.0.1
- update nghttp2 to 1.40.0
* v8: mark serdes API as stable
Moved nodejs to nodejs10 - version 10.17.0
Version 12.13.1 'Erbium' (LTS):
Notable changes
Experimental support for building Node.js with Python 3 is improved.
ICU time zone data is updated to version 2019c. This fixes the date offset in Brazil.
