Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update node.js to v10.24.1 #127

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jan 4, 2021

Mend Renovate

This PR contains the following updates:

Package Update Change
node minor 10.23.0 -> 10.24.1

Release Notes

nodejs/node

v10.24.1: 2021-04-06, Version 10.24.1 'Dubnium' (LTS), @​mylesborins

Compare Source

This is a security release.

Notable Changes

Vulerabilties fixed:

  • CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
  • CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
  • CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
    • This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in GHSA-c4w7-xm78-47vh
    • Impacts:
      • All versions of the 14.x, 12.x and 10.x releases lines
Commits

v10.24.0: 2021-02-23, Version 10.24.0 'Dubnium' (LTS), @​richardlau

Compare Source

This is a security release.

Notable changes

Vulnerabilities fixed:

  • CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
    • Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
  • CVE-2021-22884: DNS rebinding in --inspect
    • Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
  • CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
Commits

v10.23.3: 2021-02-09, Version 10.23.3 'Dubnium' (LTS), @​richardlau

Compare Source

Notable changes

The update to npm 6.14.11 has been relanded so that npm correctly reports its version.

Commits

v10.23.2: 2021-01-26, Version 10.23.2 'Dubnium' (LTS), @​richardlau

Compare Source

Notable changes

Release keys have been synchronized with the main branch.

  • deps:
    • upgrade npm to 6.14.11 (Darcy Clarke) #​36838
Commits

v10.23.1: 2021-01-04, Version 10.23.1 'Dubnium' (LTS), @​richardlau

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2020-8265: use-after-free in TLSWrap (High)
    Affected Node.js versions are vulnerable to a use-after-free bug in its
    TLS implementation. When writing to a TLS enabled socket,
    node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
    allocated WriteWrap object as first argument. If the DoWrite method does
    not return an error, this object is passed back to the caller as part of
    a StreamWriteResult structure. This may be exploited to corrupt memory
    leading to a Denial of Service or potentially other exploits
  • CVE-2020-8287: HTTP Request Smuggling in nodejs
    Affected versions of Node.js allow two copies of a header field in a
    http request. For example, two Transfer-Encoding header fields. In this
    case Node.js identifies the first header field and ignores the second.
    This can lead to HTTP Request Smuggling
    (https://cwe.mitre.org/data/definitions/444.html).
  • CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
    This is a vulnerability in OpenSSL which may be exploited through Node.js.
    You can read more about it in
    https://www.openssl.org/news/secadv/20201208.txt
Commits

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/node-10.x branch from 5e0317d to 5694f47 Compare January 26, 2021 18:04
@renovate renovate bot changed the title chore(deps): update node.js to v10.23.1 chore(deps): update node.js to v10.23.2 Jan 26, 2021
@renovate renovate bot force-pushed the renovate/node-10.x branch from 5694f47 to 675288d Compare February 10, 2021 00:44
@renovate renovate bot changed the title chore(deps): update node.js to v10.23.2 chore(deps): update node.js to v10.23.3 Feb 10, 2021
@renovate renovate bot force-pushed the renovate/node-10.x branch from 675288d to d222693 Compare February 23, 2021 12:58
@renovate renovate bot changed the title chore(deps): update node.js to v10.23.3 chore(deps): update node.js to v10.24.0 Feb 23, 2021
@renovate renovate bot force-pushed the renovate/node-10.x branch from d222693 to 54b6cf9 Compare April 6, 2021 20:43
@renovate renovate bot changed the title chore(deps): update node.js to v10.24.0 chore(deps): update node.js to v10.24.1 Apr 6, 2021
@renovate renovate bot changed the title chore(deps): update node.js to v10.24.1 chore(deps): update Node.js to v10.24.1 Jun 27, 2022
@renovate renovate bot changed the title chore(deps): update Node.js to v10.24.1 chore(deps): update node.js to v10.24.1 Jun 28, 2022
@renovate
Copy link
Author

renovate bot commented Mar 24, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant