2020-06-02, Version 12.18.0 'Erbium' (LTS)

This is a security release. Notable changes: Vulnerabilities fixed: CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High). CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low). CVE-2020-8174: `napi_get_value_string_*()` allows various kinds of memory corruption (High). PR-URL: https://github.com/nodejs-private/node-private/pull/213
2024-11-21 10:59:27 +00:00 · 2020-06-02 09:10:02 +02:00 · 2020-06-02 09:10:02 +02:00 · 12bcee8628
commit 12bcee8628
parent 64e33dc952
3 changed files with 27 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -57,7 +57,8 @@ release.
 <a href="doc/changelogs/CHANGELOG_V13.md#13.0.0">13.0.0</a><br/>
    </td>
    <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V12.md#12.17.0">12.17.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V12.md#12.18.0">12.18.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V12.md#12.17.0">12.17.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.16.3">12.16.3</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.16.2">12.16.2</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.16.1">12.16.1</a><br/>
--- a/doc/api/http2.md
+++ b/doc/api/http2.md
@ -2003,6 +2003,7 @@ added: v8.4.0
 changes:
  - version:
     - v14.4.0
+     - v12.18.0
    pr-url: https://github.com/nodejs-private/node-private/pull/204
    description: Added `maxSettings` option with a default of 32.
  - version:
@ -2140,6 +2141,7 @@ added: v8.4.0
 changes:
  - version:
     - v14.4.0
+     - v12.18.0
    pr-url: https://github.com/nodejs-private/node-private/pull/204
    description: Added `maxSettings` option with a default of 32.
  - version:
@ -2264,6 +2266,7 @@ added: v8.4.0
 changes:
  - version:
     - v14.4.0
+     - v12.18.0
    pr-url: https://github.com/nodejs-private/node-private/pull/204
    description: Added `maxSettings` option with a default of 32.
  - version: v13.0.0
--- a/doc/changelogs/CHANGELOG_V12.md
+++ b/doc/changelogs/CHANGELOG_V12.md
@ -11,6 +11,7 @@
 </tr>
 <tr>
 <td valign="top">
+<a href="#12.18.0">12.18.0</a><br/>
 <a href="#12.17.0">12.17.0</a><br/>
 <a href="#12.16.3">12.16.3</a><br/>
 <a href="#12.16.2">12.16.2</a><br/>
@ -60,6 +61,27 @@
  * [io.js](CHANGELOG_IOJS.md)
  * [Archive](CHANGELOG_ARCHIVE.md)

+<a id="12.18.0"></a>
+## 2020-06-02, Version 12.18.0 'Erbium' (LTS), @targos
+
+### Notable changes
+
+This is a security release.
+
+Vulnerabilities fixed:
+* **CVE-2020-8172**: TLS session reuse can lead to host certificate verification bypass (High).
+* **CVE-2020-11080**: HTTP/2 Large Settings Frame DoS (Low).
+* **CVE-2020-8174**: `napi_get_value_string_*()` allows various kinds of memory corruption (High).
+
+### Commits
+
+* [[`c6d0bdacc4`](https://github.com/nodejs/node/commit/c6d0bdacc4)] - **crypto**: update root certificates (AshCripps) [#33682](https://github.com/nodejs/node/pull/33682)
+* [[`916b2824d1`](https://github.com/nodejs/node/commit/916b2824d1)] - **(SEMVER-MINOR)** **deps**: update nghttp2 to 1.41.0 (James M Snell) [nodejs-private/node-private#206](https://github.com/nodejs-private/node-private/pull/206)
+* [[`d381426377`](https://github.com/nodejs/node/commit/d381426377)] - **(SEMVER-MINOR)** **http2**: implement support for max settings entries (James M Snell) [nodejs-private/node-private#206](https://github.com/nodejs-private/node-private/pull/206)
+* [[`7dd8982570`](https://github.com/nodejs/node/commit/7dd8982570)] - **napi**: fix memory corruption vulnerability (Tobias Nießen) [nodejs-private/node-private#195](https://github.com/nodejs-private/node-private/pull/195)
+* [[`0932309af2`](https://github.com/nodejs/node/commit/0932309af2)] - **tls**: emit `session` after verifying certificate (Fedor Indutny) [nodejs-private/node-private#200](https://github.com/nodejs-private/node-private/pull/200)
+* [[`c392d3923f`](https://github.com/nodejs/node/commit/c392d3923f)] - **tools**: update certdata.txt (AshCripps) [#33682](https://github.com/nodejs/node/pull/33682)
+
 <a id="12.17.0"></a>
 ## 2020-05-26, Version 12.17.0 'Erbium' (LTS), @targos