FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Node.js -- January 2021 Security Releases

Affected packages
node10 < 10.23.1
node12 < 12.20.1
node14 < 14.15.4
node < 15.5.1

Details

VuXML ID 08b553ed-537a-11eb-be6e-0022489ad614
Discovery 2021-01-04
Entry 2021-01-14

Node.js reports:

use-after-free in TLSWrap (High) (CVE-2020-8265)

Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287)

Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

OpenSSL - EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)

iThis is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt.

References

CVE Name CVE-2020-1971
CVE Name CVE-2020-8265
CVE Name CVE-2020-8287
URL https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
URL https://www.openssl.org/news/secadv/20201208.txt