missing release notes for CVE-2020-10531 #3245
Comments
|
Original upstream ICU fix for the CVE: unicode-org/icu@b7d08bc |
|
I think these were called out in the separate Security Release blog post https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/ |
|
yes, these were called out in the June 2020 security releases ... but that release note states : "Does not affect 12.x or 14.x, they do not include an affected version of ICU." ... which is true, ... but the reason that it is true is because it was silently fixed in their respective previous version. I guess the release notes for v12.17.0 & v14.3.0 could be modified to mention that they are fixing CVE-2020-10531, and the June 2020 notes could be modified to add a pointer to these 2 previous releases as the fixed version. The issue is that, currently, a person reading the release notes might wrongly interpret that node-12 and node-14 were never vulnerable to CVE-2020-10531 |
|
@nodejs/releasers maybe you can answer this one, since you folks usually cut the release note PRs |
|
Trying to tidy up this place and tying loose ends. |
|
The release notes for v12.17.0 and v14.3.0 still do not mention that they contain the fix for CVE-2020-10531. To re-summarize the issue : Someone running for example node 14.2.0 may wrongfully believe to not be affected by CVE-2020-10531, based on the lack of public details (no mention of the fix in the 14.3.0 & 12.17.0 release notes, and the notes from June 2020 security release may mislead people into thinking that 12 and 14 were never affected). I am not sure whether or not it should be considered relevant.... But I prefer when security notes are tidy and clean |
Could you show the logs of where it states that these versions were used? Otherwise, if our Release team mentions that those versions are not affected, I don't see any reason for invalidating their claims. |
|
I am not sure where to find that in the logs, but I can show you that in the code. In v12.16.0 (which is < 12.17.0), we can find the vulnerable code : https://github.com/nodejs/node/blob/v12.16.0/deps/icu-small/source/common/unistr.cpp#L1565 As a reminder, according to NIST (https://nvd.nist.gov/vuln/detail/CVE-2020-10531) the ICU upstream fix is there : unicode-org/icu@b7d08bc#diff-7d047c27f750d3f742e9cc532e4d688fcf8618575975426cb305d727e105b0d3 if you compare the 2 links, you will see that the file |
|
For v14.2.0 (which is < v14.3.0) : https://github.com/nodejs/node/blob/v14.2.0/deps/icu-small/source/common/unistr.cpp#L1565 |
|
Gotcha, it's been such a long time that I'm not sure it is worth chasing after the rabbit, but maybe @nodejs/release might be able to assess if the blog post should be updated. |
|
Yes, I agree. Back when I reported the issue, it might have mattered for people running a vulnerable version (e.g.: it might have weighted in favor of an upgrade of node.js). (That being said, if I can express my humble opinion: security release notes should always be correct, as they they tend to be considered as a source of truth) |
Noted! Thank you for the valuable info and help! And I apologise for the misleading endeavours! Closing this issue as there are no actions to be done for now. |
Hello,
CVE-2020-10531 was silently fixed in 14.3.0 and v14.3.0 , as a side effect of ICU rebase.
fix in v12.17.0 : nodejs/node@2d76ae7#diff-bd007b7962bfa64fcd3a1e11d91f03daL1566
14.3.0 : nodejs/node@331f0b3#diff-bd007b7962bfa64fcd3a1e11d91f03daL1566
Could you please update the corresponding release notes to reflect this fact ? (currently, from a release notes point of view, only 10.21.0 has an acknowledged fix)
https://nodejs.org/en/blog/release/v14.3.0/
https://nodejs.org/en/blog/release/v12.17.0/
The text was updated successfully, but these errors were encountered: