Security updates for all active release lines, April 2021

Daniel Bevenius

unread,

Mar 31, 2021, 2:10:44 PM3/31/21

to nodejs-sec

# Summary

The Node.js project will release new versions of all supported release lines on or shortly after Tuesday, April 6th, 2021.

* Three High severity issues

## Impact

The 15.x release line of Node.js is vulnerable to two high severity issues.

The 14.x release line of Node.js is vulnerable to three high severity issues.

The 12.x release line of Node.js is vulnerable to three high severity issues.

The 10.x release line of Node.js is vulnerable to three high severity issues.

## Release timing

Releases will be available at, or shortly after, Tuesday, April 6th, 2021.

## Contact and future updates

The current Node.js security policy can be found at https://nodejs.org/en/security/. Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

Daniel Bevenius

unread,

Apr 6, 2021, 4:01:13 PM4/6/21

to nodejs-sec

## _(Update 6-Apr-2021)_ Security releases available

Updates are now available for v10,x, v12.x, v14.x and v15.x Node.js release lines for the following issues.

### OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) (CVE-2021-3450)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in

https://www.openssl.org/news/secadv/20210325.txt

Impacts:

* All versions of the 15.x, 14.x, 12.x and 10.x releases lines

### OpenSSL - NULL pointer deref in signature_algorithms processing (High) (CVE-2021-3449)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in

https://www.openssl.org/news/secadv/20210325.txt

Impacts:

* All versions of the 15.x, 14.x, 12.x and 10.x releases lines

### npm upgrade - Update y18n to fix Prototype-Pollution (High) (CVE-2020-7774)

This is a vulnerability in the y18n npm module which may be exploited by prototype pollution.

You can read more about it in

https://github.com/advisories/GHSA-c4w7-xm78-47vh

Impacts:

* All versions of the 14.x, 12.x and 10.x releases lines

## Downloads and release details

* [Node.js v10.24.1 (LTS)](https://nodejs.org/en/blog/release/v10.24.1/)

* [Node.js v12.21.1 (LTS)](https://nodejs.org/en/blog/release/v12.21.1/)

* [Node.js v14.16.1 (LTS)](https://nodejs.org/en/blog/release/v14.16.1/)

* [Node.js v15.13.1 (Current)](https://nodejs.org/en/blog/release/v15.13.1/)

Daniel Bevenius

unread,

Apr 7, 2021, 11:46:29 PM4/7/21

to nodejs-sec

There was a mistake in the previous post with regards to the following download link for Node v15. It should have been:

* [Node.js v15.14.0 (Current)](https://nodejs.org/en/blog/release/v15.14.0/)

The security release blog post has been updated with the correct link: https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/.