nodejs/node
### [`v14.18.1`](https://togithub.com/nodejs/node/releases/v14.18.1)
[Compare Source](https://togithub.com/nodejs/node/compare/v14.18.0...v14.18.1)
This is a security release.
##### Notable changes
- **CVE-2021-22959**: HTTP Request Smuggling due to spaced in headers (Medium)
- The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at [CVE-2021-22959](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959) after publication.
- **CVE-2021-22960**: HTTP Request Smuggling when parsing the body (Medium)
- The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at [CVE-2021-22960](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960) after publication.
##### Commits
- \[[`8c254ca7e4`](https://togithub.com/nodejs/node/commit/8c254ca7e4)] - **deps**: update llhttp to 2.1.4 (Fedor Indutny) [nodejs-private/node-private#285](https://togithub.com/nodejs-private/node-private/pull/285)
- \[[`9b92ae2499`](https://togithub.com/nodejs/node/commit/9b92ae2499)] - **http**: add regression test for smuggling content length (Matteo Collina) [nodejs-private/node-private#285](https://togithub.com/nodejs-private/node-private/pull/285)
- \[[`f467539719`](https://togithub.com/nodejs/node/commit/f467539719)] - **http**: add regression test for chunked smuggling (Matteo Collina) [nodejs-private/node-private#285](https://togithub.com/nodejs-private/node-private/pull/285)
Configuration
π Schedule: "after 10:30 before 18:00 every weekday except after 13:00 before 14:00" in timezone America/Lima.
π¦ Automerge: Enabled.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about these updates again.
[ ] If you want to rebase/retry this PR, check this box.
This PR contains the following updates:
14.18.0
->14.18.1
>=v14.18.0
->>=v14.18.1
Release Notes
nodejs/node
### [`v14.18.1`](https://togithub.com/nodejs/node/releases/v14.18.1) [Compare Source](https://togithub.com/nodejs/node/compare/v14.18.0...v14.18.1) This is a security release. ##### Notable changes - **CVE-2021-22959**: HTTP Request Smuggling due to spaced in headers (Medium) - The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at [CVE-2021-22959](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959) after publication. - **CVE-2021-22960**: HTTP Request Smuggling when parsing the body (Medium) - The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at [CVE-2021-22960](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960) after publication. ##### Commits - \[[`8c254ca7e4`](https://togithub.com/nodejs/node/commit/8c254ca7e4)] - **deps**: update llhttp to 2.1.4 (Fedor Indutny) [nodejs-private/node-private#285](https://togithub.com/nodejs-private/node-private/pull/285) - \[[`9b92ae2499`](https://togithub.com/nodejs/node/commit/9b92ae2499)] - **http**: add regression test for smuggling content length (Matteo Collina) [nodejs-private/node-private#285](https://togithub.com/nodejs-private/node-private/pull/285) - \[[`f467539719`](https://togithub.com/nodejs/node/commit/f467539719)] - **http**: add regression test for chunked smuggling (Matteo Collina) [nodejs-private/node-private#285](https://togithub.com/nodejs-private/node-private/pull/285)Configuration
π Schedule: "after 10:30 before 18:00 every weekday except after 13:00 before 14:00" in timezone America/Lima.
π¦ Automerge: Enabled.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by WhiteSource Renovate. View repository job log here.