CVE-2024-27982: The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first. CVE-2024-27983: An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition. The above are fixed in 18.20.1, 20.12.1, and 21.7.2 and have the following dependency bumps to address the vulnerabilities: - llhttp 9.2.1 on 21.x, 20.x, and 18.x - undici 6.11.1 on 21.x - undici 5.28.4 on 18.x and 20.x
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64852fd321932254798c4819b964236fa6c92107 commit 64852fd321932254798c4819b964236fa6c92107 Author: Matoro Mahri <matoro_gentoo@matoro.tk> AuthorDate: 2024-04-11 22:11:59 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2024-04-15 19:55:55 +0000 net-libs/nodejs: add 20.12.1 Bug: https://bugs.gentoo.org/928532 Closes: https://github.com/gentoo/gentoo/pull/36216 Signed-off-by: Matoro Mahri <matoro_gentoo@matoro.tk> Signed-off-by: William Hubbs <williamh@gentoo.org> net-libs/nodejs/Manifest | 1 + net-libs/nodejs/nodejs-20.12.1.ebuild | 265 ++++++++++++++++++++++++++++++++++ 2 files changed, 266 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a42c75e62d57879dc3b9f4ad9271ebe47b13dcff commit a42c75e62d57879dc3b9f4ad9271ebe47b13dcff Author: Matoro Mahri <matoro_gentoo@matoro.tk> AuthorDate: 2024-04-11 22:06:47 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2024-04-15 19:55:43 +0000 net-libs/nodejs: add 18.20.1 Bug: https://bugs.gentoo.org/928532 Closes: https://github.com/gentoo/gentoo/pull/36216 Signed-off-by: Matoro Mahri <matoro_gentoo@matoro.tk> Signed-off-by: William Hubbs <williamh@gentoo.org> net-libs/nodejs/Manifest | 1 + net-libs/nodejs/nodejs-18.20.1.ebuild | 259 ++++++++++++++++++++++++++++++++++ 2 files changed, 260 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02f02180c053b0b19a07cac98b5e74f9aa2e0491 commit 02f02180c053b0b19a07cac98b5e74f9aa2e0491 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2024-05-27 04:57:11 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2024-05-27 04:57:11 +0000 net-libs/nodejs: drop 18.17.1, 18.19.0, 20.6.1, 20.11.0 Bug: https://bugs.gentoo.org/928532 Signed-off-by: William Hubbs <williamh@gentoo.org> net-libs/nodejs/Manifest | 4 - net-libs/nodejs/nodejs-18.17.1.ebuild | 258 --------------------------------- net-libs/nodejs/nodejs-18.19.0.ebuild | 259 --------------------------------- net-libs/nodejs/nodejs-20.11.0.ebuild | 261 --------------------------------- net-libs/nodejs/nodejs-20.6.1.ebuild | 262 ---------------------------------- 5 files changed, 1044 deletions(-)