Headline
CVE-2019-15606: Node v13.8.0 (Current) | Node.js
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
This is a security release.
Vulnerabilities fixed:
- CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
- CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
- CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the --insecure-http-parser command line flag, or the insecureHTTPParser http option. Using the insecure HTTP parser should be avoided.
- [b7da194714] - benchmark: support optional headers with wrk (Sam Roberts) nodejs-private/node-private#189
- [1156a9e5f8] - crypto: fix assertion caused by unsupported ext (Fedor Indutny) nodejs-private/node-private#175
- [8f41e837bb] - deps: update llhttp to 2.0.4 (Beth Griggs) nodejs-private/node-private#199
- [07d56e49cf] - (SEMVER-MINOR) http: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) #31448
- [25b6897e8a] - http: strip trailing OWS from header values (Sam Roberts) nodejs-private/node-private#189
- [eea3a7429b] - test: using TE to smuggle reqs is not possible (Sam Roberts) nodejs-private/node-private#199
Windows 32-bit Installer: https://nodejs.org/dist/v13.8.0/node-v13.8.0-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v13.8.0/node-v13.8.0-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v13.8.0/win-x86/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v13.8.0/win-x64/node.exe
macOS 64-bit Installer: https://nodejs.org/dist/v13.8.0/node-v13.8.0.pkg
macOS 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-darwin-x64.tar.gz
Linux 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-linux-x64.tar.xz
Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-linux-ppc64le.tar.xz
Linux s390x 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-linux-s390x.tar.xz
AIX 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-aix-ppc64.tar.gz
SmartOS 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-sunos-x64.tar.xz
ARMv7 32-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-linux-armv7l.tar.xz
ARMv8 64-bit Binary: https://nodejs.org/dist/v13.8.0/node-v13.8.0-linux-arm64.tar.xz
Source Code: https://nodejs.org/dist/v13.8.0/node-v13.8.0.tar.gz
Other release files: https://nodejs.org/dist/v13.8.0/
Documentation: https://nodejs.org/docs/v13.8.0/api/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
25a267d18f6d7d66528bbe9a9d54730a8a39b27e9d315114ca008a105a01e55c node-v13.8.0-aix-ppc64.tar.gz
ae480e2b124cb55667763848b8ec0fde1bc35d5e0b76debe881034689a68eaea node-v13.8.0-darwin-x64.tar.gz
09eb3068e03df502d119a63201552a20910981acc64b4f5913ee07183cabb886 node-v13.8.0-darwin-x64.tar.xz
01eec708bb3cb0d57108c24f87ccf00a389aab9127ff671b8ee4e14808b23cb8 node-v13.8.0-headers.tar.gz
d29fcff404843a52e1f19718fc60779170162c844a9bedc746f8d9de00a240ae node-v13.8.0-headers.tar.xz
69a51fa98a9543f09f2a3838a04b49fd774005398de9732caf337e027145c988 node-v13.8.0-linux-arm64.tar.gz
f1d4167a6911e42d836a5459c992cdaf35a03ab0700ea80831d7df5d706d1baf node-v13.8.0-linux-arm64.tar.xz
228d79dfc07749d90cfa7938cffb7201d8e12ca7f92cba2f1766431b8d2acedf node-v13.8.0-linux-armv7l.tar.gz
e35e1c39478d3d0508231d042a450564aed935a4b9eed245e81ff9074db59215 node-v13.8.0-linux-armv7l.tar.xz
7fe719cb5c92fecbad462a240ff4f1b12220d022c781af9a10c64282c95a0fc2 node-v13.8.0-linux-ppc64le.tar.gz
e243be4a2a62c90d33c3f1bf49afdad894e154e6faa4282719c31eb541a7b39a node-v13.8.0-linux-ppc64le.tar.xz
acbd4d0336f0fdea3222dfa707705b4ebfc1fa0986df510b77dc23406e8635e6 node-v13.8.0-linux-s390x.tar.gz
b466a5d4ab128a94cf0559d201a60e7ad867170cd2ae64dda2ee893c93cef059 node-v13.8.0-linux-s390x.tar.xz
bf30432175ea8a95fa3e5fe09e96d9fc17b07099742d5c83c4cf9d0edfc411ff node-v13.8.0-linux-x64.tar.gz
47a8cb675358f2ff534ad3d6709f14de0433f76d3af92cf389b8dcc78a1236ad node-v13.8.0-linux-x64.tar.xz
a5d4de1c8f64fac3d0b0fae6de966c4d091e1cdc570e9f4b880f314c222befb0 node-v13.8.0.pkg
95b370e2bcb127e235d1388ce1f5703d7789417b670c2b6e5287b47bb9f7e692 node-v13.8.0-sunos-x64.tar.gz
19fec6076c2ace2b68c80b06fcbea92390a9bf575281d16759e4b2dc1b49620f node-v13.8.0-sunos-x64.tar.xz
815b5e1b18114f35da89e4d98febeaba97555d51ef593bd5175db2b05f2e8be6 node-v13.8.0.tar.gz
bb6104c9da90cfba02e231c524899bad6592d67ea5dc9dcb88ac0ff2b63f83c0 node-v13.8.0.tar.xz
b0bc2ba000a8828ff5c7371f250ea7f07c662646696f4fdefa99207ecb5481b1 node-v13.8.0-win-x64.7z
f198f3e4b120fc84b61d12e7222530c5bb9c6f864735bb41a8db1cf1b94a64c3 node-v13.8.0-win-x64.zip
1f7af35b3b3999931e61df8e4d0e21fb6c416b7d3f780a31bb3c23c439672501 node-v13.8.0-win-x86.7z
e0abc7394d79c5be19a615ebadd6029e05dca0741ae41f5dc5cc9476f040f998 node-v13.8.0-win-x86.zip
264c9dc82400446b7df1103324c6f85c5bf413f088ead884e7262bbfaf41188b node-v13.8.0-x64.msi
ea7ae6a7c1d8627070955ec0362e50b997f80ba419b8f00cc8299310c38e7ff5 node-v13.8.0-x86.msi
d7bb5ffed9175053cc5f8cc12ac014c81621cd88af855418c37675b7331206e7 win-x64/node.exe
93d8299044f598d700f67480a72d710a59888a14fea2e9f0d5fcc248b0ec02e2 win-x64/node.lib
04a1533a22c5b8c061e58b28cfc921f8de6d604c62ffb63584d566427811c4a7 win-x64/node_pdb.7z
5656b66192d186d98ade188d0259cc8b4a4bef3e00fce9e89f1514b21e1c4812 win-x64/node_pdb.zip
f2898d8356128272ed7bdc7e7edb9d86ed5a3ad9256ccfb27b8e5dd7c61c176e win-x86/node.exe
876a8db699a1d5f5d298900b998b07d1bcd15273633c684f266718940cc211f5 win-x86/node.lib
08fc7c0e6f9f37597ac7fd7cb78d3b8e2520f098217b39641fdb8344c3916bd4 win-x86/node_pdb.7z
82d65d46fdd35b4b7ae3eab0d585f466a3d04e6192a33f329d45e3702f90db42 win-x86/node_pdb.zip
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEETtd49TnjY0x3nIfG1wYoSKGrAFwFAl47+GsACgkQ1wYoSKGr
AFxEWwf+Imz8ml0R4bRl9SBUv4eE0+ocoi4sjNssSdHAVC4lf6fg7Lv/104wjgr5
lXx38gICHyuV86CxUXsbI5a2U3e5V6BYVYf37a3XcJfqGnqqSI2HkbDn2aBCG0dF
WUOWs9eYau8zMeS3N336DgGwbUGnoN1zPTBGK0sKXPM4QKF5fjT1LyxWGjjuikLH
1JvrDM2L9RBV6YHzdmmgxUp2TEjFhhepHq/pkp6hQdMmvIx8UnzmAmn1aPKIbg81
iJftuqFjinbK4NumA2oXNwiBnwJdxAgc47Nmo5D4bcX2rFQEkfcbhg6por5If94k
jMVV+QOMhokVF4cM4dzuJJfcGjGIrw==
=NojX
-----END PGP SIGNATURE-----
Related news
Ubuntu Security Notice 6380-1 - Rogier Schouten discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Ethan Rubinson discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically i...
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically i...
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically i...
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).