[Buildroot] [PATCH] package/nodejs: security bump to version 12.20.1
Peter Korsgaard
peter at korsgaard.com
Tue Jan 12 10:33:19 UTC 2021
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> - CVE-2020-8265: use-after-free in TLSWrap (High) Affected Node.js versions
> are vulnerable to a use-after-free bug in its TLS implementation. When
> writing to a TLS enabled socket, node::StreamBase::Write calls
> node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first
> argument. If the DoWrite method does not return an error, this object is
> passed back to the caller as part of a StreamWriteResult structure. This
> may be exploited to corrupt memory leading to a Denial of Service or
> potentially other exploits
> - CVE-2020-8287: HTTP Request Smuggling in nodejs Affected versions of
> Node.js allow two copies of a header field in a http request. For
> example, two Transfer-Encoding header fields. In this case Node.js
> identifies the first header field and ignores the second. This can lead
> to HTTP Request Smuggling
> - CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
> This is a vulnerability in OpenSSL which may be exploited through Node.js.
> You can read more about it in
> https://www.openssl.org/news/secadv/20201208.txt
> Update the license hash for the addition of the (MIT licensed)
> cjs-module-lexer module:
> https://github.com/nodejs/node/commit/9eb1fa19248949dfc716807b1dc97dedf36da14e
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2020.02.x and 2020.11.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list