Skip to content

Commit d602e58

Browse files
BethGriggsBethGriggs
committed
2020-02-06, Version 10.19.0 'Dubnium' (LTS)
This is a security release. Vulnerabilities fixed: * **CVE-2019-15606**: HTTP header values do not have trailing OWS trimmed. * **CVE-2019-15605**: HTTP request smuggling using malformed Transfer-Encoding header. * **CVE-2019-15604**: Remotely trigger an assertion on a TLS server with a malformed certificate string. Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the `--insecure-http-parser` command line flag, or the `insecureHTTPParser` http option. Using the insecure HTTP parser should be avoided. PR-URL: nodejs-private/node-private#198
1 parent e65ae42 commit d602e58

2 files changed

Lines changed: 32 additions & 1 deletion

File tree

CHANGELOG.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,8 @@ release.
6565
<a href="doc/changelogs/CHANGELOG_V12.md#12.0.0">12.0.0</a><br/>
6666
</td>
6767
<td valign="top">
68-
<b><a href="doc/changelogs/CHANGELOG_V10.md#10.18.1">10.18.1</a></b><br/>
68+
<b><a href="doc/changelogs/CHANGELOG_V10.md#10.19.0">10.19.0</a></b><br/>
69+
<a href="doc/changelogs/CHANGELOG_V10.md#10.18.1">10.18.1</a><br/>
6970
<a href="doc/changelogs/CHANGELOG_V10.md#10.18.0">10.18.0</a><br/>
7071
<a href="doc/changelogs/CHANGELOG_V10.md#10.17.0">10.17.0</a><br/>
7172
<a href="doc/changelogs/CHANGELOG_V10.md#10.16.3">10.16.3</a><br/>

doc/changelogs/CHANGELOG_V10.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010
</tr>
1111
<tr>
1212
<td valign="top">
13+
<a href="#10.19.0">10.19.0</a><br/>
1314
<a href="#10.18.1">10.18.1</a><br/>
1415
<a href="#10.18.0">10.18.0</a><br/>
1516
<a href="#10.17.0">10.17.0</a><br/>
@@ -61,6 +62,35 @@
6162
* [io.js](CHANGELOG_IOJS.md)
6263
* [Archive](CHANGELOG_ARCHIVE.md)
6364

65+
<a id="10.19.0"></a>
66+
## 2020-02-06, Version 10.19.0 'Dubnium' (LTS), @BethGriggs
67+
68+
### Notable changes
69+
70+
This is a security release.
71+
72+
Vulnerabilities fixed:
73+
* **CVE-2019-15606**: HTTP header values do not have trailing OWS trimmed.
74+
* **CVE-2019-15605**: HTTP request smuggling using malformed Transfer-Encoding header.
75+
* **CVE-2019-15604**: Remotely trigger an assertion on a TLS server with a malformed certificate string.
76+
77+
Also, HTTP parsing is more strict to be more secure. Since this may
78+
cause problems in interoperability with some non-conformant HTTP
79+
implementations, it is possible to disable the strict checks with the
80+
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
81+
http option. Using the insecure HTTP parser should be avoided.
82+
83+
### Commits
84+
85+
* [[`f940bee3b7`](https://github.com/nodejs/node/commit/f940bee3b7)] - **crypto**: fix assertion caused by unsupported ext (Fedor Indutny) [nodejs-private/node-private#175](https://github.com/nodejs-private/node-private/pull/175)
86+
* [[`49f4220ce5`](https://github.com/nodejs/node/commit/49f4220ce5)] - **deps**: upgrade http-parser to v2.9.3 (Sam Roberts) [nodejs-private/http-parser-private#4](https://github.com/nodejs-private/http-parser-private/pull/4)
87+
* [[`a28e5cc1ed`](https://github.com/nodejs/node/commit/a28e5cc1ed)] - **(SEMVER-MINOR)** **deps**: upgrade http-parser to v2.9.1 (Sam Roberts) [#30471](https://github.com/nodejs/node/pull/30471)
88+
* [[`0082f62d9c`](https://github.com/nodejs/node/commit/0082f62d9c)] - **(SEMVER-MINOR)** **http**: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) [#31448](https://github.com/nodejs/node/pull/31448)
89+
* [[`a9849c0ff6`](https://github.com/nodejs/node/commit/a9849c0ff6)] - **(SEMVER-MINOR)** **http**: opt-in insecure HTTP header parsing (Sam Roberts) [#30567](https://github.com/nodejs/node/pull/30567)
90+
* [[`2eee90e959`](https://github.com/nodejs/node/commit/2eee90e959)] - **http**: strip trailing OWS from header values (Sam Roberts) [nodejs-private/node-private#191](https://github.com/nodejs-private/node-private/pull/191)
91+
* [[`e2c8f89b75`](https://github.com/nodejs/node/commit/e2c8f89b75)] - **test**: using TE to smuggle reqs is not possible (Sam Roberts) [nodejs-private/node-private#192](https://github.com/nodejs-private/node-private/pull/192)
92+
* [[`d616722f65`](https://github.com/nodejs/node/commit/d616722f65)] - **test**: check that --insecure-http-parser works (Sam Roberts) [#31253](https://github.com/nodejs/node/pull/31253)
93+
6494
<a id="10.18.1"></a>
6595
## 2020-01-09, Version 10.18.1 'Dubnium' (LTS), @BethGriggs
6696

0 commit comments

Comments
 (0)