Skip to content
This repository has been archived by the owner on Sep 10, 2021. It is now read-only.

Update Node.js to v14.17.6 #165

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update Node.js to v14.17.6 #165

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Sep 10, 2021

WhiteSource Renovate

This PR contains the following updates:

Package Type Update Change
node final minor 14.16.0-buster-slim -> 14.17.6-buster-slim

Release Notes

nodejs/node

v14.17.6

Compare Source

This is a security release.

Notable Changes

These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803
and CVE-2021-32804.
Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.

You can read more about it in:

Commits

v14.17.5

Compare Source

This is a security release.

Notable Changes
  • CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
    • Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
  • CVE-2021-22930: Use after free on close http2 on stream canceling (High)
  • CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
    • If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.
Commits

v14.17.4

Compare Source

This is a security release.

Notable Changes

This releases also fixes some regressions with internationalization introduced by the ICU updates in Node.js 14.17.0 and 14.17.1.

Commits

v14.17.3

Compare Source

Notable Changes

Node.js 14.17.2 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.

Commits

v14.17.2

Compare Source

This is a security release.

Notable Changes

Vulnerabilities fixed:

  • CVE-2021-22918: libuv upgrade - Out of bounds read (Medium)
    • Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
  • CVE-2021-22921: Windows installer - Node Installer Local Privilege Escalation (Medium)
    • Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921
Commits

v14.17.1

Compare Source

Notable Changes
Commits

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant