Update node Docker tag to v14.15.4 #19

Manually merged
samuel-p merged 1 commit from renovate/node-14.x into master 2021-01-06 13:39:13 +00:00
Collaborator

This PR contains the following updates:

Package Type Update Change
node final patch 14.15.3-alpine -> 14.15.4-alpine

Release Notes

nodejs/node

v14.15.4

Compare Source

This is a security release.

Notable Changes

Vulnerabilities fixed:

  • CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)

  • CVE-2020-8265: use-after-free in TLSWrap (High)

    • Affected Node.js versions are vulnerable to a use-after-free bug in
      its TLS implementation. When writing to a TLS enabled socket,
      node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
      allocated WriteWrap object as first argument. If the DoWrite method
      does not return an error, this object is passed back to the caller as
      part of a StreamWriteResult structure. This may be exploited to
      corrupt memory leading to a Denial of Service or potentially other
      exploits.
  • CVE-2020-8287: HTTP Request Smuggling in nodejs (Low)

    • Affected versions of Node.js allow two copies of a header field in
      a http request. For example, two Transfer-Encoding header fields. In
      this case Node.js identifies the first header field and ignores the
      second. This can lead to HTTP Request Smuggling
      (https://cwe.mitre.org/data/definitions/444.html).
Commits

Renovate configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [node](https://github.com/nodejs/node) | final | patch | `14.15.3-alpine` -> `14.15.4-alpine` | --- ### Release Notes <details> <summary>nodejs/node</summary> ### [`v14.15.4`](https://github.com/nodejs/node/releases/v14.15.4) [Compare Source](https://github.com/nodejs/node/compare/v14.15.3...v14.15.4) This is a security release. ##### Notable Changes Vulnerabilities fixed: - **CVE-2020-1971**: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in <https://www.openssl.org/news/secadv/20201208.txt> - **CVE-2020-8265**: use-after-free in TLSWrap (High) - Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits. - **CVE-2020-8287**: HTTP Request Smuggling in nodejs (Low) - Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (<https://cwe.mitre.org/data/definitions/444.html>). ##### Commits - \[[`305c0f4977`](https://github.com/nodejs/node/commit/305c0f4977)] - **deps**: upgrade npm to 6.14.10 (Ruy Adorno) [#&#8203;36571](https://github.com/nodejs/node/pull/36571) - \[[`d62c650f75`](https://github.com/nodejs/node/commit/d62c650f75)] - **deps**: update archs files for OpenSSL-1.1.1i (Myles Borins) [#&#8203;36521](https://github.com/nodejs/node/pull/36521) - \[[`2de2672eb5`](https://github.com/nodejs/node/commit/2de2672eb5)] - **deps**: upgrade openssl sources to 1.1.1i (Myles Borins) [#&#8203;36521](https://github.com/nodejs/node/pull/36521) - \[[`7ecac8143f`](https://github.com/nodejs/node/commit/7ecac8143f)] - **http**: add test for http transfer encoding smuggling (Matteo Collina) [nodejs-private/node-private#&#8203;228](https://github.com/nodejs-private/node-private/pull/228) - \[[`641f786bb1`](https://github.com/nodejs/node/commit/641f786bb1)] - **http**: unset `F_CHUNKED` on new `Transfer-Encoding` (Matteo Collina) [nodejs-private/node-private#&#8203;228](https://github.com/nodejs-private/node-private/pull/228) - \[[`4f8772f9b7`](https://github.com/nodejs/node/commit/4f8772f9b7)] - **src**: retain pointers to WriteWrap/ShutdownWrap (James M Snell) [nodejs-private/node-private#&#8203;23](https://github.com/nodejs-private/node-private/pull/23) </details> --- ### Renovate configuration 📅 **Schedule**: At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻️ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
renovate-bot added 1 commit 2021-01-06 05:02:55 +00:00
Update node Docker tag to v14.15.4
All checks were successful
continuous-integration/drone/push Build is passing
89119ecf1c
samuel-p was assigned by renovate-bot 2021-01-06 05:02:55 +00:00
samuel-p manually merged commit 71e9cbe892 into master 2021-01-06 13:39:13 +00:00
This repo is archived. You cannot comment on pull requests.
No reviewers
No milestone
No project
No assignees
1 participant
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: samuel-p/cachet-monitor#19
No description provided.