Skip to content

Commit 0aece06

Browse files
mhdawsonmhdawson
authored
blog: Sep 2020 sec release post announcement (#3379)
Signed-off-by: Michael Dawson <[email protected]>
1 parent 2b91e21 commit 0aece06

File tree

2 files changed

+43
-2
lines changed

2 files changed

+43
-2
lines changed

build.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -278,7 +278,7 @@ function getSource (callback) {
278278
},
279279
banner: {
280280
visible: true,
281-
text: 'New security releases to be made available Sep 15, 2020',
281+
text: 'New security releases are available',
282282
link: '/en/blog/vulnerability/september-2020-security-releases/'
283283
}
284284
}

locale/en/blog/vulnerability/september-2020-security-releases.md

Lines changed: 42 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,53 @@
11
---
2-
date: 2020-09-08T18:00:00.000Z
2+
date: 2020-09-15T21:50:00.000Z
33
category: vulnerability
44
title: September 2020 Security Releases
55
slug: september-2020-security-releases
66
layout: blog-post.hbs
77
author: Michael Dawson
88
---
99

10+
## _(Update 15-Sept-2020)_ Security releases available
11+
12+
Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues.
13+
14+
### HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201)
15+
16+
Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.
17+
18+
Impacts:
19+
* All versions of the 14.x and 12.x releases line
20+
21+
Thank you to Amit Klein who works at Safebreach for reporting this vulnerability.
22+
23+
### Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251)
24+
25+
Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout
26+
with a default value of 0 which means it is disabled by default. This should be set when Node.js is used as an edge server, for more details refer to the documentation.
27+
28+
Impacts:
29+
* All versions of the 14.x release line
30+
31+
Thank you to Paolo Insogna and Matteo Collina who work at NearFom for reporting and fixing this vulnerability.
32+
33+
### fs.realpath.native on may cause buffer overflow (Medium) (CVE-2020-8252)
34+
35+
libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
36+
37+
Impacts:
38+
39+
* All versions of the 10.x release line
40+
* All versions of the 12.x release line
41+
* All versions of the 14.x release line before 14.9.0
42+
43+
## Downloads and release details
44+
45+
* [Node.js v10.22.1 (LTS)](https://nodejs.org/en/blog/release/v10.22.1/)
46+
* [Node.js v12.18.4 (LTS)](https://nodejs.org/en/blog/release/v12.18.4/)
47+
* [Node.js v14.11.0 (Current)](https://nodejs.org/en/blog/release/v14.11.0/)
48+
49+
--------------------------------------
50+
1051
## Summary
1152

1253
The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, September 15, 2020.

0 commit comments

Comments
 (0)