From dab20ccea75ac3576ce3d2343f9c49c6746ed46e Mon Sep 17 00:00:00 2001 From: marco-ippolito Date: Mon, 1 Apr 2024 16:35:11 +0200 Subject: [PATCH] 2024-04-03, Version 21.7.2 (Current) This is a security release. Notable changes: deps: * update undici to 6.11.1 (node-js-github-bot) https://github.com/nodejs/node/pull/52328 http: * do not allow OBS fold in headers by default (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/556 src: * ensure to close stream when destroying session (RafaelGSS) https://github.com/nodejs-private/node-private/pull/561 PR-URL: https://github.com/nodejs-private/node-private/pull/574 --- CHANGELOG.md | 3 ++- doc/changelogs/CHANGELOG_V21.md | 28 +++++++++++++++++++++++++--- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8cd8c931931..ffc3e004da0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,7 +36,8 @@ release. -21.7.1
+21.7.2
+21.7.1
21.7.0
21.6.2
21.6.1
diff --git a/doc/changelogs/CHANGELOG_V21.md b/doc/changelogs/CHANGELOG_V21.md index ee3247257f8..053d32b0805 100644 --- a/doc/changelogs/CHANGELOG_V21.md +++ b/doc/changelogs/CHANGELOG_V21.md @@ -8,6 +8,7 @@ +21.7.2
21.7.1
21.7.0
21.6.2
@@ -46,6 +47,27 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + + +## 2024-04-03, Version 21.7.2 (Current), @RafaelGSS prepared by @marco-ippolito + +This is a security release. + +### Notable changes + +* CVE-2024-27983 - Assertion failed in node::http2::Http2Session::\~Http2Session() leads to HTTP/2 server crash- (High) +* CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation- (Medium) +* llhttp version 9.2.1 +* undici version 6.11.1 + +### Commits + +* \[[`3dfc10c851`](https://github.com/nodejs/node/commit/3dfc10c851)] - **deps**: update undici to 6.11.1 (Node.js GitHub Bot) [#52328](https://github.com/nodejs/node/pull/52328) +* \[[`aceea1c5e7`](https://github.com/nodejs/node/commit/aceea1c5e7)] - **deps**: update undici to 6.10.2 (Node.js GitHub Bot) [#52227](https://github.com/nodejs/node/pull/52227) +* \[[`5f0f96b275`](https://github.com/nodejs/node/commit/5f0f96b275)] - **deps**: update llhttp to 9.2.0 (Node.js GitHub Bot) [#51719](https://github.com/nodejs/node/pull/51719) +* \[[`1a65e98e22`](https://github.com/nodejs/node/commit/1a65e98e22)] - **http**: do not allow OBS fold in headers by default (Paolo Insogna) [nodejs-private/node-private#556](https://github.com/nodejs-private/node-private/pull/556) +* \[[`3bd39fb474`](https://github.com/nodejs/node/commit/3bd39fb474)] - **src**: ensure to close stream when destroying session (RafaelGSS) [nodejs-private/node-private#561](https://github.com/nodejs-private/node-private/pull/561) + ## 2024-03-08, Version 21.7.1 (Current), @targos @@ -515,7 +537,7 @@ Node.js 21.6.0 comes with several fixes for the experimental permission model an We're adding a new flag `--allow-addons` to enable addon usage when using the Permission Model. ```console -$ node --experimental-permission --allow-addons +node --experimental-permission --allow-addons ``` Contributed by Rafael Gonzaga in [#51183](https://github.com/nodejs/node/pull/51183) @@ -524,7 +546,7 @@ And relative paths are now supported through the `--allow-fs-*` flags. Therefore, with this release one can use: ```console -$ node --experimental-permission --allow-fs-read=./index.js +node --experimental-permission --allow-fs-read=./index.js ``` To give only read access to the entrypoint of the application. @@ -536,7 +558,7 @@ Contributed by Rafael Gonzaga and Carlos Espa in [#50758](https://github.com/nod We are adding a new flag `--build-snapshot-config` to configure snapshots through a custom JSON configuration file. ```console -$ node --build-snapshot-config=/path/to/myconfig.json +node --build-snapshot-config=/path/to/myconfig.json ``` When using this flag, additional script files provided on the command line will