주요 변경 사항
이번 릴리스는 보안 릴리스입니다.
다음 취약점을 수정했습니다.
CVE-2020-8265 : TLSWrap의 use-after-free (높음)
영향을 받는 Node.js 버전은 TLS 구현 부분에 있는 use-after-free 버그에 취약합니다.
TLS 가능한 소켓에 데이터를 쓸 때 node::StreamBase::Write는 node::TLSWrap::DoWrite를 호출하며,
이때 첫 번째 인수로 새롭게 할당된 WriteWrap 객체를 전달합니다. 이 객체는 DoWrite 메서드가 에러를 반환하지 않으면
호출한 함수에게 StreamWriteResult 구조체의 일부를 반환합니다. 이는 서비스 거부 혹은 잠재적인 다른 보안 문제를
일으키는 메모리 오염으로 악용될 수 있습니다.
CVE-2020-8287 : Node.js의 HTTP 요청 스머글링(Smuggling)
영향을 받는 Node.js 버전은 하나의 HTTP 요청에 두 개의 동일한 헤더 필드를 허용합니다.
예를 들어 두 개의 Transfer-Encoding 헤더 필드가 존재할 수 있습니다. 이 경우 Node.js는
첫 번째 헤더 필드를 사용하고 두 번째 헤더 필드는 무시합니다. 이 문제는 HTTP 요청 스머글링 문제를
일으킬 수 있습니다. (https://cwe.mitre.org/data/definitions/444.html )
CVE-2020-1971 : OpenSSL - EDIPARTYNAME NULL 포인터 역참조 (높음)
이 문제는 Node.js를 통해 악용될 수 있는 OpenSSL의 취약점입니다.
더 자세한 정보는 https://www.openssl.org/news/secadv/20201208.txt 에서 읽을 수 있습니다.
Commits
Windows 32-bit Installer: https://nodejs.org/dist/v12.20.1/node-v12.20.1-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v12.20.1/node-v12.20.1-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v12.20.1/win-x86/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v12.20.1/win-x64/node.exe
macOS 64-bit Installer: https://nodejs.org/dist/v12.20.1/node-v12.20.1.pkg
macOS 64-bit Binary: https://nodejs.org/dist/v12.20.1/node-v12.20.1-darwin-x64.tar.gz
Linux 64-bit Binary: https://nodejs.org/dist/v12.20.1/node-v12.20.1-linux-x64.tar.xz
Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v12.20.1/node-v12.20.1-linux-ppc64le.tar.xz
Linux s390x 64-bit Binary: https://nodejs.org/dist/v12.20.1/node-v12.20.1-linux-s390x.tar.xz
AIX 64-bit Binary: https://nodejs.org/dist/v12.20.1/node-v12.20.1-aix-ppc64.tar.gz
SmartOS 64-bit Binary: https://nodejs.org/dist/v12.20.1/node-v12.20.1-sunos-x64.tar.xz
ARMv7 32-bit Binary: https://nodejs.org/dist/v12.20.1/node-v12.20.1-linux-armv7l.tar.xz
ARMv8 64-bit Binary: https://nodejs.org/dist/v12.20.1/node-v12.20.1-linux-arm64.tar.xz
Source Code: https://nodejs.org/dist/v12.20.1/node-v12.20.1.tar.gz
Other release files: https://nodejs.org/dist/v12.20.1/
Documentation: https://nodejs.org/docs/v12.20.1/api/
SHASUMS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 85d6b2fb4517fdc2540eba89a70a6256541f89cb9970aa5176c10294c2d595ee node-v12.20.1-aix-ppc64.tar.gz da5d32de2e0f3e82b4bc4a33754a9ceedb3c031f8804e984de89d82074897795 node-v12.20.1-darwin-x64.tar.gz 9be4e4aefc1a9373d1472c335c0b85fa2c307e9a11e5df2901e12d8babd797b7 node-v12.20.1-darwin-x64.tar.xz 3e92fed328aca66d651160bf8e258a9c1ace2ae7a3ae61e63e66b8c1b061daa2 node-v12.20.1-headers.tar.gz 3b88ca1472bd7acbd5bafaa763dee0cc9641ba634dfdb1d4589e72928f80e8c9 node-v12.20.1-headers.tar.xz 3154628c02f2c920fed77e8dce1a8ae32333260666ebaaa7a3cd230f45d13e42 node-v12.20.1-linux-arm64.tar.gz 3c1dff2a7070214fa3947f8b7331c592e2d7c7347693da927b56cfd51ed70917 node-v12.20.1-linux-arm64.tar.xz 7283ced5d7c0cc036a35bc2e64b23e7d4b348848170567880edabcf5279f4f8a node-v12.20.1-linux-armv7l.tar.gz d4b34dc939b34e0a888d69e01713c5ba42b5718bccf72e816eb4bd644cf6240e node-v12.20.1-linux-armv7l.tar.xz 0722467ef8361fa0a7562154b8907c4769a7ba96a6631e5a5212d9b0ca3edba9 node-v12.20.1-linux-ppc64le.tar.gz c557bc21fd7b5e2150a946c9821462d70f86b62ce5d8e8f22fbc9951c0b51dca node-v12.20.1-linux-ppc64le.tar.xz 68ded9db9837ea819881fb5b232c226a9924477e2fa901edecd32d3af2cfeb54 node-v12.20.1-linux-s390x.tar.gz 409e7b1b99ceca82c3fa36785de38bac80acf40189a6052e4226299b690113a6 node-v12.20.1-linux-s390x.tar.xz c4d45bf46d4ef4b6a72384dfb0ab6c07aed5750bcd1c2fc9f29c0aaccc6a4363 node-v12.20.1-linux-x64.tar.gz 313014c7e0abe808ec8453d78f7892c430e1b282a6d3faf9904fcb72c79e8db6 node-v12.20.1-linux-x64.tar.xz 5d1a4c117ee3ac7aa98818d304a4a2b39427ce588147cf437a7c5beb7b45de21 node-v12.20.1.pkg a166ccbfd282ab3caf99f10f5c8a91d4696c0ad163622ec81bbcef5e9f8c9092 node-v12.20.1-sunos-x64.tar.gz e927caa2208b7f491d80edb2a051951d37770992c1de605df4392e55b052418d node-v12.20.1-sunos-x64.tar.xz 5318a5db1484050430371b77dece281a5b078a14e6962e105aa5790bdb3c3bed node-v12.20.1.tar.gz e00eee325d705b2bfa9929b7d061eb2315402d7e8548945eac9870bf84321853 node-v12.20.1.tar.xz 90c9f86fc50f5320572562483f6f9e6d303f8c3bae26f14870c92b750d1d20b3 node-v12.20.1-win-x64.7z 63cb0ccb17d6071e5418661b9755dc6a47f89db6e0945cb92dafbd000d9cc654 node-v12.20.1-win-x64.zip d9ed3fd1ef7787545e8132ac592278e9895c7e817d6545d1dac2d37e509e56bf node-v12.20.1-win-x86.7z 6dc79f89cc7d0e2d6f12532bcb010fcedf32604d0f0d718f9c88d28696a98a13 node-v12.20.1-win-x86.zip 48c7e37bcee7847549ef186e4762b924ede44bb34bfcb77c4aa5eadaea31a7fa node-v12.20.1-x64.msi ded3789cef6bf338e472187c17c28fcd14ead36e2cc440981616228e78ad780a node-v12.20.1-x86.msi 45d3ccc859462d16ef29e6a007df43fb94524a3deac3e8539920089b4a7a5895 win-x64/node.exe 2662b79e36ee678661554d290a3b8277c4c92cc74dffcda37a9f8f8e83287c73 win-x64/node.lib b5e11e03d047f9a13e8d247eb15f75fb1df8a60f34464ac3bad828a2830d2f0a win-x64/node_pdb.7z a0047d62b0dc5ed2eca5a6125485d7778b60a2017ceaeffa12abab34fd7c0b0d win-x64/node_pdb.zip 8dc5ce44c3d2e91b22ac8a081cae13df7c331615f0db3db4f076ee590a28ebfc win-x86/node.exe 794dd4c597af2483d162426a37c99746d319aaa358219ace7bb179140f16d5f2 win-x86/node.lib 73f6208141f666286de13746322d88940fd126fdf97833948728f6829846339d win-x86/node_pdb.7z 8fd3ce5355a9d6004bf3e99b9ac9fd0c33fa853ad4c0d243afc1cfe4c6642c40 win-x86/node_pdb.zip -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEyC+jrhy+3Gvka5NgxDzsRcF6uTwFAl/zWq8ACgkQxDzsRcF6 uTx3YQ//ZB73eV5+HdivoCetzzPk5IPdHKt4Axh1Q7SOpDRHd2Ne1Yac7VFHAfo+ SszTFc874tHVPpEJMCUISIjs1Zim2q9cUsCMYwyayEJd7SFbySGewXreb029oBJ5 VUQfY6ItqQmbPDK3SGw+dF4rmJO0BczDobJ3yelrAMJmKCokyAtSTkEHqsFTAMCd IhxGHshZonyzfaffn7tfN4/JHeWv63WX8KWcNpcMDLJkZe3Giizgia17N2KtnruO wN81yuqpCNcZEpHHqB9vj6WGTICcc7POdx0YtHmuMkEOBNQd0qBjoHPoxS/733R9 nifYtD3Mr+kO5aLnVMOUuA2rzDdRCOyBsIbx0l3GEZkOs4z3Y0zBw8vTI+UoC8Vo Wtc8hh9gj8y3YKbgcfcZU8lvv6YuSsvCJ58RSwQ83tokk4xH+Q+caAW0YQNUQa21 OkcbDrc4naCF5THDh7ckSdhJDhXVW0A5U7Eg9m8iVS0l6JXToLilkcTQNRemlEnX YvFKb8OmH+8Z9wDulbrIX3KVQzuU6+D5iY5FEDmSCc/7EQWp7ca3zNFn47DbVlEI rhk85HhHqrO5ymoV93xakw/ICXGYSTTwbevpgi1J/u88KCA/P1KuohU5j3BSanlF 0Gw7X6gXmKZvwCbg+zWTWZH3ND9F7gGJ0s2v/lfE8aBsVWtjtL8= =Ji2U -----END PGP SIGNATURE-----