2020-06-02, Version 14.4.0 (Current), @targos

targos released this 02 Jun 18:45

Notable changes

This is a security release.

Vulnerabilities fixed:

CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).

Commits

[07a4d5061f] - crypto: update root certificates (AshCripps) #33682
[0a7bf50fd4] - (SEMVER-MINOR) deps: update nghttp2 to 1.41.0 (James M Snell) nodejs-private/node-private#204
[55e4c72af8] - (SEMVER-MINOR) http2: implement support for max settings entries (James M Snell) nodejs-private/node-private#204
[290720d16a] - napi: fix memory corruption vulnerability (Tobias Nießen) nodejs-private/node-private#195
[94571c1001] - tls: emit session after verifying certificate (Fedor Indutny) nodejs-private/node-private#200
[1658cf9ee6] - tools: update certdata.txt (AshCripps) #33682

Assets 2