Update node Docker tag to v14.15.4 #19

Manually merged

samuel-p merged 1 commit from renovate/node-14.x into master 2021-01-06 13:39:13 +00:00

Conversation 0 Commits 1 Files changed 1 +1 -1

renovate-bot commented 2021-01-06 05:02:50 +00:00

Collaborator

Copy link

This PR contains the following updates:

Package	Type	Update	Change
node	final	patch	14.15.3-alpine -> 14.15.4-alpine

---

Release Notes

nodejs/node

v14.15.4

Compare Source

This is a security release.

Notable Changes

Vulnerabilities fixed:

• CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)

  • This is a vulnerability in OpenSSL which may be exploited through
    Node.js. You can read more about it in
    https://www.openssl.org/news/secadv/20201208.txt

• CVE-2020-8265: use-after-free in TLSWrap (High)

  • Affected Node.js versions are vulnerable to a use-after-free bug in
    its TLS implementation. When writing to a TLS enabled socket,
    node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
    allocated WriteWrap object as first argument. If the DoWrite method
    does not return an error, this object is passed back to the caller as
    part of a StreamWriteResult structure. This may be exploited to
    corrupt memory leading to a Denial of Service or potentially other
    exploits.

• CVE-2020-8287: HTTP Request Smuggling in nodejs (Low)

  • Affected versions of Node.js allow two copies of a header field in
    a http request. For example, two Transfer-Encoding header fields. In
    this case Node.js identifies the first header field and ignores the
    second. This can lead to HTTP Request Smuggling
    (https://cwe.mitre.org/data/definitions/444.html).

Commits

• [305c0f4977] - deps: upgrade npm to 6.14.10 (Ruy Adorno) #​36571
• [d62c650f75] - deps: update archs files for OpenSSL-1.1.1i (Myles Borins) #​36521
• [2de2672eb5] - deps: upgrade openssl sources to 1.1.1i (Myles Borins) #​36521
• [7ecac8143f] - http: add test for http transfer encoding smuggling (Matteo Collina) nodejs-private/node-private#​228
• [641f786bb1] - http: unset F_CHUNKED on new Transfer-Encoding (Matteo Collina) nodejs-private/node-private#​228
• [4f8772f9b7] - src: retain pointers to WriteWrap/ShutdownWrap (James M Snell) nodejs-private/node-private#​23

---

Renovate configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [node](https://github.com/nodejs/node) | final | patch | `14.15.3-alpine` -> `14.15.4-alpine` | --- ### Release Notes <details> <summary>nodejs/node</summary> ### [`v14.15.4`](https://github.com/nodejs/node/releases/v14.15.4) [Compare Source](https://github.com/nodejs/node/compare/v14.15.3...v14.15.4) This is a security release. ##### Notable Changes Vulnerabilities fixed: - **CVE-2020-1971**: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in <https://www.openssl.org/news/secadv/20201208.txt> - **CVE-2020-8265**: use-after-free in TLSWrap (High) - Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits. - **CVE-2020-8287**: HTTP Request Smuggling in nodejs (Low) - Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (<https://cwe.mitre.org/data/definitions/444.html>). ##### Commits - \[[`305c0f4977`](https://github.com/nodejs/node/commit/305c0f4977)] - **deps**: upgrade npm to 6.14.10 (Ruy Adorno) [#&#8203;36571](https://github.com/nodejs/node/pull/36571) - \[[`d62c650f75`](https://github.com/nodejs/node/commit/d62c650f75)] - **deps**: update archs files for OpenSSL-1.1.1i (Myles Borins) [#&#8203;36521](https://github.com/nodejs/node/pull/36521) - \[[`2de2672eb5`](https://github.com/nodejs/node/commit/2de2672eb5)] - **deps**: upgrade openssl sources to 1.1.1i (Myles Borins) [#&#8203;36521](https://github.com/nodejs/node/pull/36521) - \[[`7ecac8143f`](https://github.com/nodejs/node/commit/7ecac8143f)] - **http**: add test for http transfer encoding smuggling (Matteo Collina) [nodejs-private/node-private#&#8203;228](https://github.com/nodejs-private/node-private/pull/228) - \[[`641f786bb1`](https://github.com/nodejs/node/commit/641f786bb1)] - **http**: unset `F_CHUNKED` on new `Transfer-Encoding` (Matteo Collina) [nodejs-private/node-private#&#8203;228](https://github.com/nodejs-private/node-private/pull/228) - \[[`4f8772f9b7`](https://github.com/nodejs/node/commit/4f8772f9b7)] - **src**: retain pointers to WriteWrap/ShutdownWrap (James M Snell) [nodejs-private/node-private#&#8203;23](https://github.com/nodejs-private/node-private/pull/23) </details> --- ### Renovate configuration 📅 **Schedule**: At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻️ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate-bot added 1 commit 2021-01-06 05:02:55 +00:00

Update node Docker tag to v14.15.4 89119ecf1c

samuel-p was assigned by renovate-bot 2021-01-06 05:02:55 +00:00

samuel-p referenced this pull request from a commit 2021-01-06 13:39:13 +00:00

Merge pull request 'Update node Docker tag to v14.15.4' (#19) from renovate/node-14.x into master

samuel-p manually merged commit 71e9cbe892 into master 2021-01-06 13:39:13 +00:00

This repo is archived. You cannot comment on pull requests.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

samuel-p

1 participant

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: samuel-p/cachet-monitor#19

No description provided.