2021-08-31, Version 12.22.6 'Erbium' (LTS)

This is a security release. Notable changes: These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 (https://github.com/advisories/GHSA-r628-mhmh-qjhw) and CVE-2021-32804 (https://github.com/advisories/GHSA-3jfq-g458-7qm9). Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist. You can read more about it in: * CVE-2021-37701: https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc * CVE-2021-37712: https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p * CVE-2021-37713: https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh * CVE-2021-39134: https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc * CVE-2021-39135: https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2 PR-URL: https://github.com/nodejs-private/node-private/pull/288
2024-11-21 10:59:27 +00:00 · 2021-08-28 11:27:57 -04:00 · 2021-08-28 11:27:57 -04:00 · d989186cf2
commit d989186cf2
parent 4e1181761d
2 changed files with 32 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -80,7 +80,8 @@ release.
 <a href="doc/changelogs/CHANGELOG_V14.md#14.0.0">14.0.0</a><br/>
    </td>
    <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V12.md#12.22.5">12.22.5</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V12.md#12.22.6">12.22.6</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V12.md#12.22.5">12.22.5</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.22.4">12.22.4</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.22.3">12.22.3</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.22.2">12.22.2</a><br/>
--- a/doc/changelogs/CHANGELOG_V12.md
+++ b/doc/changelogs/CHANGELOG_V12.md
@ -11,6 +11,7 @@
 </tr>
 <tr>
 <td valign="top">
+<a href="#12.22.6">12.22.6</a><br/>
 <a href="#12.22.5">12.22.5</a><br/>
 <a href="#12.22.4">12.22.4</a><br/>
 <a href="#12.22.3">12.22.3</a><br/>
@ -79,6 +80,35 @@
  * [io.js](CHANGELOG_IOJS.md)
  * [Archive](CHANGELOG_ARCHIVE.md)

+<a id="12.22.6"></a>
+## 2021-08-31, Version 12.22.6 'Erbium' (LTS), @MylesBorins
+
+This is a security release.
+
+### Notable Changes
+
+These are vulnerabilities in the node-tar, arborist, and npm cli modules which
+are related to the initial reports and subsequent remediation of node-tar
+vulnerabilities [CVE-2021-32803](https://github.com/advisories/GHSA-r628-mhmh-qjhw)
+and [CVE-2021-32804](https://github.com/advisories/GHSA-3jfq-g458-7qm9).
+Subsequent internal security review of node-tar and additional external bounty
+reports have resulted in another 5 CVE being remediated in core npm CLI
+dependencies including node-tar, and npm arborist.
+
+You can read more about it in:
+
+* [CVE-2021-37701](https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc)
+* [CVE-2021-37712](https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p)
+* [CVE-2021-37713](https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh)
+* [CVE-2021-39134](https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc)
+* [CVE-2021-39135](https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2)
+
+### Commits
+
+* [[`a0154b586b`](https://github.com/nodejs/node/commit/a0154b586b)] - **deps**: update archs files for OpenSSL-1.1.1l (Richard Lau) [#39869](https://github.com/nodejs/node/pull/39869)
+* [[`7a95637eb7`](https://github.com/nodejs/node/commit/7a95637eb7)] - **deps**: upgrade openssl sources to 1.1.1l (Richard Lau) [#39869](https://github.com/nodejs/node/pull/39869)
+* [[`840b0ffff6`](https://github.com/nodejs/node/commit/840b0ffff6)] - **deps**: upgrade npm to 6.14.15 (Darcy Clarke) [#39856](https://github.com/nodejs/node/pull/39856)
+
 <a id="12.22.5"></a>
 ## 2021-08-11, Version 12.22.5 'Erbium' (LTS), @BethGriggs