1. 15 1月, 2022 11 次提交
  2. 14 1月, 2022 13 次提交
  3. 13 1月, 2022 3 次提交
  4. 12 1月, 2022 2 次提交
  5. 11 1月, 2022 11 次提交
    • N
    • X
      url,lib: pass urlsearchparams-constructor.any.js · 38b7961c
      XadillaX 提交于
      According to WPT:
      
      1. `URLSearchParams` constructor should throw exactly `TypeError` if any
         Error occurrs.
      2. When a record passed to `URLSearchParams` constructor, two different
         key may result same after `toUVString()`. We should leave only the
         later one.
      
      PR-URL: https://github.com/nodejs/node/pull/41197Reviewed-By: NZijian Liu <lxxyxzj@gmail.com>
      38b7961c
    • M
      doc: update mailmap entries for mhdawson · 02abe5cb
      Michael Dawson 提交于
      Update the content and order of my mailmap entries. Recent
      changelogs have been using my outdated email address.
      Signed-off-by: NMichael Dawson <mdawson@devrus.com>
      
      PR-URL: https://github.com/nodejs/node/pull/41437Reviewed-By: NTierney Cyren <hello@bnb.im>
      Reviewed-By: NAdrian Estrada <edsadr@gmail.com>
      Reviewed-By: NRichard Lau <rlau@redhat.com>
      Reviewed-By: NDerek Lewis <DerekNonGeneric@inf.is>
      Reviewed-By: NRich Trott <rtrott@gmail.com>
      02abe5cb
    • R
      stream: fix error-path function call · 8c3637cd
      Rich Trott 提交于
      The `onFinish()` function takes a single argument. The two extra
      arguments passed here are already in the function scope, and may result
      in the error being mishandled.
      
      PR-URL: https://github.com/nodejs/node/pull/41433Reviewed-By: NRobert Nagy <ronagy@icloud.com>
      Reviewed-By: NLuigi Pinca <luigipinca@gmail.com>
      Reviewed-By: NAnatoli Papirovski <apapirovski@mac.com>
      Reviewed-By: NMatteo Collina <matteo.collina@gmail.com>
      Reviewed-By: NBenjamin Gruenbaum <benjamingr@gmail.com>
      Reviewed-By: NMohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
      8c3637cd
    • B
      2022-01-10, Version 17.3.1 (Current) · c4194c0d
      Beth Griggs 提交于
      This is a security release.
      
      Notable changes:
      
      Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
      - Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
      is specifically defined to use a particular SAN type, can result in
      bypassing name-constrained intermediates. Node.js was accepting URI SAN
      types, which PKIs are often not defined to use. Additionally, when a
      protocol allows URI SANs, Node.js did not match the URI correctly.
      - Versions of Node.js with the fix for this disable the URI SAN type when
      checking a certificate against a hostname. This behavior can be
      reverted through the `--security-revert` command-line option.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
      
      Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
      - Node.js converts SANs (Subject Alternative Names) to a string format.
      It uses this string to check peer certificates against hostnames when
      validating connections. The string format was subject to an injection
      vulnerability when name constraints were used within a certificate
      chain, allowing the bypass of these name constraints.
      - Versions of Node.js with the fix for this escape SANs containing the
      problematic characters in order to prevent the injection. This
      behavior can be reverted through the `--security-revert` command-line
      option.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
      
      Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
      - Node.js did not handle multi-value Relative Distinguished Names
      correctly. Attackers could craft certificate subjects containing a
      single-value Relative Distinguished Name that would be interpreted as a
      multi-value Relative Distinguished Name, for example, in order to inject
      a Common Name that would allow bypassing the certificate subject
      verification.
      - Affected versions of Node.js do not accept multi-value Relative
      Distinguished Names and are thus not vulnerable to such attacks
      themselves. However, third-party code that uses node's ambiguous
      presentation of certificate subjects may be vulnerable.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
      
      Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
      - Due to the formatting logic of the `console.table()` function it was
      not safe to allow user controlled input to be passed to the `properties`
      parameter while simultaneously passing a plain object with at least one
      property as the first parameter, which could be `__proto__`. The
      prototype pollution has very limited control, in that it only allows an
      empty string to be assigned numerical keys of the object prototype.
      - Versions of Node.js with the fix for this use a null protoype for the
      object these properties are being assigned to.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
      
      PR-URL: https://github.com/nodejs-private/node-private/pull/311
      c4194c0d
    • D
      2022-01-10, Version 16.13.2 'Gallium' (LTS) · f99a2c27
      Danielle Adams 提交于
      This is a security release.
      
      Notable changes:
      
      Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
      - Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
      is specifically defined to use a particular SAN type, can result in
      bypassing name-constrained intermediates. Node.js was accepting URI SAN
      types, which PKIs are often not defined to use. Additionally, when a
      protocol allows URI SANs, Node.js did not match the URI correctly.
      - Versions of Node.js with the fix for this disable the URI SAN type when
      checking a certificate against a hostname. This behavior can be
      reverted through the `--security-revert` command-line option.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
      
      Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
      - Node.js converts SANs (Subject Alternative Names) to a string format.
      It uses this string to check peer certificates against hostnames when
      validating connections. The string format was subject to an injection
      vulnerability when name constraints were used within a certificate
      chain, allowing the bypass of these name constraints.
      - Versions of Node.js with the fix for this escape SANs containing the
      problematic characters in order to prevent the injection. This
      behavior can be reverted through the `--security-revert` command-line
      option.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
      
      Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
      - Node.js did not handle multi-value Relative Distinguished Names
      correctly. Attackers could craft certificate subjects containing a
      single-value Relative Distinguished Name that would be interpreted as a
      multi-value Relative Distinguished Name, for example, in order to inject
      a Common Name that would allow bypassing the certificate subject
      verification.
      - Affected versions of Node.js do not accept multi-value Relative
      Distinguished Names and are thus not vulnerable to such attacks
      themselves. However, third-party code that uses node's ambiguous
      presentation of certificate subjects may be vulnerable.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
      
      Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
      - Due to the formatting logic of the `console.table()` function it was
      not safe to allow user controlled input to be passed to the `properties`
      parameter while simultaneously passing a plain object with at least one
      property as the first parameter, which could be `__proto__`. The
      prototype pollution has very limited control, in that it only allows an
      empty string to be assigned numerical keys of the object prototype.
      - Versions of Node.js with the fix for this use a null protoype for the
      object these properties are being assigned to.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
      
      PR-URL: https://github.com/nodejs-private/node-private/pull/312
      f99a2c27
    • R
      2022-01-10, Version 14.18.3 'Fermium' (LTS) · af829837
      Richard Lau 提交于
      This is a security release.
      
      Notable changes:
      
      Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
      - Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
      is specifically defined to use a particular SAN type, can result in
      bypassing name-constrained intermediates. Node.js was accepting URI SAN
      types, which PKIs are often not defined to use. Additionally, when a
      protocol allows URI SANs, Node.js did not match the URI correctly.
      - Versions of Node.js with the fix for this disable the URI SAN type when
      checking a certificate against a hostname. This behavior can be
      reverted through the `--security-revert` command-line option.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
      
      Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
      - Node.js converts SANs (Subject Alternative Names) to a string format.
      It uses this string to check peer certificates against hostnames when
      validating connections. The string format was subject to an injection
      vulnerability when name constraints were used within a certificate
      chain, allowing the bypass of these name constraints.
      - Versions of Node.js with the fix for this escape SANs containing the
      problematic characters in order to prevent the injection. This
      behavior can be reverted through the `--security-revert` command-line
      option.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
      
      Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
      - Node.js did not handle multi-value Relative Distinguished Names
      correctly. Attackers could craft certificate subjects containing a
      single-value Relative Distinguished Name that would be interpreted as a
      multi-value Relative Distinguished Name, for example, in order to inject
      a Common Name that would allow bypassing the certificate subject
      verification.
      - Affected versions of Node.js do not accept multi-value Relative
      Distinguished Names and are thus not vulnerable to such attacks
      themselves. However, third-party code that uses node's ambiguous
      presentation of certificate subjects may be vulnerable.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
      
      Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
      - Due to the formatting logic of the `console.table()` function it was
      not safe to allow user controlled input to be passed to the `properties`
      parameter while simultaneously passing a plain object with at least one
      property as the first parameter, which could be `__proto__`. The
      prototype pollution has very limited control, in that it only allows an
      empty string to be assigned numerical keys of the object prototype.
      - Versions of Node.js with the fix for this use a null protoype for the
      object these properties are being assigned to.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
      
      PR-URL: https://github.com/nodejs-private/node-private/pull/310
      af829837
    • R
      2022-01-10, Version 12.22.9 'Erbium' (LTS) · 92e1abd5
      Richard Lau 提交于
      This is a security release.
      
      Notable changes:
      
      Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
      - Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
      is specifically defined to use a particular SAN type, can result in
      bypassing name-constrained intermediates. Node.js was accepting URI SAN
      types, which PKIs are often not defined to use. Additionally, when a
      protocol allows URI SANs, Node.js did not match the URI correctly.
      - Versions of Node.js with the fix for this disable the URI SAN type when
      checking a certificate against a hostname. This behavior can be
      reverted through the `--security-revert` command-line option.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
      
      Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
      - Node.js converts SANs (Subject Alternative Names) to a string format.
      It uses this string to check peer certificates against hostnames when
      validating connections. The string format was subject to an injection
      vulnerability when name constraints were used within a certificate
      chain, allowing the bypass of these name constraints.
      - Versions of Node.js with the fix for this escape SANs containing the
      problematic characters in order to prevent the injection. This
      behavior can be reverted through the `--security-revert` command-line
      option.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
      
      Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
      - Node.js did not handle multi-value Relative Distinguished Names
      correctly. Attackers could craft certificate subjects containing a
      single-value Relative Distinguished Name that would be interpreted as a
      multi-value Relative Distinguished Name, for example, in order to inject
      a Common Name that would allow bypassing the certificate subject
      verification.
      - Affected versions of Node.js do not accept multi-value Relative
      Distinguished Names and are thus not vulnerable to such attacks
      themselves. However, third-party code that uses node's ambiguous
      presentation of certificate subjects may be vulnerable.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
      
      Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
      - Due to the formatting logic of the `console.table()` function it was
      not safe to allow user controlled input to be passed to the `properties`
      parameter while simultaneously passing a plain object with at least one
      property as the first parameter, which could be `__proto__`. The
      prototype pollution has very limited control, in that it only allows an
      empty string to be assigned numerical keys of the object prototype.
      - Versions of Node.js with the fix for this use a null protoype for the
      object these properties are being assigned to.
      - More details will be available at
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
      
      PR-URL: https://github.com/nodejs-private/node-private/pull/309
      92e1abd5
    • T
    • T
      tls: fix handling of x509 subject and issuer · a336444c
      Tobias Nießen 提交于
      When subject and verifier are represented as strings, escape special
      characters (such as '+') to guarantee unambiguity. Previously, different
      distinguished names could result in the same string when encoded. In
      particular, inserting a '+' in a single-value Relative Distinguished
      Name (e.g., L or OU) would produce a string that is indistinguishable
      from a multi-value Relative Distinguished Name. Third-party code that
      correctly interprets the generated string representation as a
      multi-value Relative Distinguished Name could then be vulnerable to an
      injection attack, e.g., when an attacker includes a single-value RDN
      with type OU and value 'HR + CN=example.com', the string representation
      produced by unpatched versions of Node.js would be
      'OU=HR + CN=example.com', which represents a multi-value RDN.
      
      Node.js itself is not vulnerable to this attack because the current
      implementation that parses such strings into objects does not handle '+'
      at all. This oversight leads to incorrect results, but at the same time
      appears to prevent injection attacks (as described above).
      
      With this change, the JavaScript objects representing the subject and
      issuer Relative Distinguished Names are constructed in C++ directly,
      instead of (incorrectly) encoding them as strings and then (incorrectly)
      decoding the strings in JavaScript.
      
      This addresses CVE-2021-44533.
      
      CVE-ID: CVE-2021-44533
      PR-URL: https://github.com/nodejs-private/node-private/pull/300Reviewed-By: NMichael Dawson <midawson@redhat.com>
      Reviewed-By: NRich Trott <rtrott@gmail.com>
      a336444c
    • T
      tls: drop support for URI alternative names · 50439b44
      Tobias Nießen 提交于
      Previously, Node.js incorrectly accepted uniformResourceIdentifier (URI)
      subject alternative names in checkServerIdentity regardless of the
      application protocol. This was incorrect even in the most common cases.
      For example, RFC 2818 specifies (and RFC 6125 confirms) that HTTP over
      TLS only uses dNSName and iPAddress subject alternative names, but not
      uniformResourceIdentifier subject alternative names.
      
      Additionally, name constrained certificate authorities might not be
      constrained to specific URIs, allowing them to issue certificates for
      URIs that specify hosts that they would not be allowed to issue dNSName
      certificates for.
      
      Even for application protocols that make use of URI subject alternative
      names (such as SIP, see RFC 5922), Node.js did not implement the
      required checks correctly, for example, because checkServerIdentity
      ignores the URI scheme.
      
      As a side effect, this also fixes an edge case. When a hostname is not
      an IP address and no dNSName subject alternative name exists, the
      subject's Common Name should be considered even when an iPAddress
      subject alternative name exists.
      
      It remains possible for users to pass a custom checkServerIdentity
      function to the TLS implementation in order to implement custom identity
      verification logic.
      
      This addresses CVE-2021-44531.
      
      CVE-ID: CVE-2021-44531
      PR-URL: https://github.com/nodejs-private/node-private/pull/300Reviewed-By: NMichael Dawson <midawson@redhat.com>
      Reviewed-By: NRich Trott <rtrott@gmail.com>
      50439b44