Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible wrong CVE-2021-22930 reference (should be CVE-2021-22940) in tagged v16.6.2 / v14.17.5 releases #40306

Closed
cfi-gb opened this issue Oct 4, 2021 · 7 comments
Labels
doc Issues and PRs related to the documentations. security Issues and PRs related to security.

Comments

@cfi-gb
Copy link

cfi-gb commented Oct 4, 2021

As this is affecting this repository / the tagged releases of this repo i hope this is the correct place to report this problem, if not please let me know where to forward the following below.

On the following tags:

as well as in the related CHANGELOG_v14.md / CHANGELOG_v16.md the following is stated for the mentioned releases:

CVE-2021-22930: Use after free on close http2 on stream canceling (High)

Comparing the releases with the announcement here:

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/

this probably should be the following instead:

CVE-2021-22940 Use after free on close http2 on stream canceling (High)

due to:

The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.

@targos
Copy link
Member

targos commented Oct 4, 2021

@nodejs/security

@cfi-gb cfi-gb changed the title Wrong CVE-2021-22930 reference (should be CVE-2021-22940) in tagged v16.6.2 / v14.17.5 releases Possible wrong CVE-2021-22930 reference (should be CVE-2021-22940) in tagged v16.6.2 / v14.17.5 releases Oct 4, 2021
@Mesteery Mesteery added doc Issues and PRs related to the documentations. security Issues and PRs related to security. labels Oct 4, 2021
@mcollina
Copy link
Member

mcollina commented Oct 4, 2021

The changelog should be updated, @cfi-gb analysis is correct.

cc @nodejs/releasers

@targos
Copy link
Member

targos commented Oct 4, 2021

on it

@targos targos self-assigned this Oct 4, 2021
@targos
Copy link
Member

targos commented Oct 4, 2021

@mcollina CVE-2021-22930 seems still private. Is that expected?

@mcollina
Copy link
Member

mcollina commented Oct 4, 2021

Not really, I just requested pubblication. it'll be out soon.

targos added a commit to targos/node that referenced this issue Oct 4, 2021
targos added a commit to targos/nodejs.org that referenced this issue Oct 4, 2021
@targos
Copy link
Member

targos commented Oct 4, 2021

Changelog fix: #40308
Blog fix: nodejs/nodejs.org#4143

targos added a commit to nodejs/nodejs.org that referenced this issue Oct 4, 2021
@cfi-gb
Copy link
Author

cfi-gb commented Oct 5, 2021

Thanks a lot for everyone contributing to this report. 👍

danielleadams pushed a commit that referenced this issue Oct 5, 2021
Fixes: #40306

PR-URL: #40308
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Beth Griggs <[email protected]>
Reviewed-By: Vladimir de Turckheim <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Juan José Arboleda <[email protected]>
@targos targos removed their assignment Mar 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
doc Issues and PRs related to the documentations. security Issues and PRs related to security.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants