Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nodejs/node
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v14.17.4
Choose a base ref
...
head repository: nodejs/node
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v14.17.5
Choose a head ref
  • 8 commits
  • 99 files changed
  • 4 contributors

Commits on Jul 29, 2021

  1. Working on v14.17.5 

    PR-URL: #39466
    @richardlau
    richardlau committed Jul 29, 2021
    Configuration menu
    Copy the full SHA
    f96f2d4 View commit details
    Browse the repository at this point in the history

Commits on Aug 9, 2021

  1. http2: update handling of rst_stream with error code NGHTTP2_CANCEL 

    The PR updates the handling of rst_stream frames and adds all streams
to the pending list on receiving rst frames with the error code
NGHTTP2_CANCEL.

The changes will remove dependency on the stream state that may allow
bypassing the checks in certain cases. I think a better solution is to
delay streams in all cases if rst_stream is received for the cancel
events.

The rst_stream frames can be received for protocol/connection error as
well it should be handled immediately. Adding streams to the pending
list in such cases may cause errors.

CVE-ID: CVE-2021-22930
Refs: https://nvd.nist.gov/vuln/detail/CVE-2021-22930
PR-URL: #39622
Refs: #39423
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
    @kumarak @BethGriggs
    kumarak authored and BethGriggs committed Aug 9, 2021
    Configuration menu
    Copy the full SHA
    434872e View commit details
    Browse the repository at this point in the history

  2. http2: add tests for cancel event while client is paused reading 

    PR-URL: #39622
Refs: #39423
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
    @kumarak @BethGriggs
    kumarak authored and BethGriggs committed Aug 9, 2021
    Configuration menu
    Copy the full SHA
    af5c1af View commit details
    Browse the repository at this point in the history

  3. tls: validate "rejectUnauthorized: undefined" 

    Incomplete validation of rejectUnauthorized parameter (Low)

If the Node.js https API was used incorrectly and "undefined" was passed
in for the "rejectUnauthorized" parameter, no error was returned and
connections to servers with an expired certificate would have been
accepted.

CVE-ID: CVE-2021-22939
Refs: https://nvd.nist.gov/vuln/detail/CVE-2021-22939
Refs: https://hackerone.com/reports/1278254
PR-URL: nodejs-private/node-private#276
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Akshay K <iit.akshay@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
    @mcollina @BethGriggs
    mcollina authored and BethGriggs committed Aug 9, 2021
    Configuration menu
    Copy the full SHA
    35b8611 View commit details
    Browse the repository at this point in the history

  4. deps: apply missed updates from c-ares 1.17.1 

    PR-URL: #39653
Refs: c-ares/c-ares#349
Refs: #36207
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
    @BethGriggs
    BethGriggs committed Aug 9, 2021
    Configuration menu
    Copy the full SHA
    33208e2 View commit details
    Browse the repository at this point in the history

  5. deps: reflect c-ares source tree 

    c-ares refactored their source tree in 1.17.0 which we did not apply in
our update to 1.17.1. This commit syncs our source with their new
structure for easier maintenance going forward. cares.gyp is updated
accordingly.

Refs: c-ares/c-ares#349
Refs: #36207

PR-URL: #39653
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
    @BethGriggs
    BethGriggs committed Aug 9, 2021
    Configuration menu
    Copy the full SHA
    847a4c6 View commit details
    Browse the repository at this point in the history

Commits on Aug 10, 2021

  1. deps: update c-ares to 1.17.2 

    Refs: https://github.com/c-ares/c-ares/releases/tag/cares-1_17_2

CVE-ID: CVE-2021-3672, CVE-2021-22931
Refs: https://nvd.nist.gov/vuln/detail/CVE-2021-3672
Refs: https://nvd.nist.gov/vuln/detail/CVE-2021-22931
PR-URL: #39724
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
    @BethGriggs
    BethGriggs committed Aug 10, 2021
    Configuration menu
    Copy the full SHA
    4923b59 View commit details
    Browse the repository at this point in the history

Commits on Aug 11, 2021

  1. 2021-08-11, Version 14.17.5 'Fermium' (LTS) 

    This is a security release.

Notable Changes:

- CVE-2021-3672/CVE-2021-22931:
    Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
    Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
    Incomplete validation of rejectUnauthorized parameter (Low)

PR-URL: nodejs-private/node-private#279
    @BethGriggs
    BethGriggs committed Aug 11, 2021
    Configuration menu
    Copy the full SHA
    db159ab View commit details
    Browse the repository at this point in the history
Loading