From f99a2c275d940a9b55aa8a12f56c3be5984b2f64 Mon Sep 17 00:00:00 2001 From: Danielle Adams Date: Mon, 10 Jan 2022 09:34:34 -0500 Subject: [PATCH] 2022-01-10, Version 16.13.2 'Gallium' (LTS) This is a security release. Notable changes: Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) - Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly. - Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the `--security-revert` command-line option. - More details will be available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531 Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532) - Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints. - Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the `--security-revert` command-line option. - More details will be available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532 Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533) - Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification. - Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable. - More details will be available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533 Prototype pollution via `console.table` properties (Low)(CVE-2022-21824) - Due to the formatting logic of the `console.table()` function it was not safe to allow user controlled input to be passed to the `properties` parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be `__proto__`. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype. - Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to. - More details will be available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824 PR-URL: https://github.com/nodejs-private/node-private/pull/312 --- CHANGELOG.md | 3 +- doc/api/crypto.md | 4 +-- doc/api/tls.md | 1 + doc/changelogs/CHANGELOG_V16.md | 52 +++++++++++++++++++++++++++++++++ 4 files changed, 57 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c348f5762e6a2..1920ee43b94ff1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,7 +40,8 @@ release. 17.0.0
-16.13.1
+16.13.2
+16.13.1
16.13.0
16.12.0
16.11.1
diff --git a/doc/api/crypto.md b/doc/api/crypto.md index 32982621613d8d..3ec94008c888f0 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -2579,7 +2579,7 @@ The SHA-512 fingerprint of this certificate.