|
| 1 | +# Created with YamlCreate.ps1 Dumplings Mod |
| 2 | +# yaml-language-server: $schema=https://aka.ms/winget-manifest.defaultLocale.1.10.0.schema.json |
| 3 | + |
| 4 | +PackageIdentifier: OpenJS.NodeJS.12 |
| 5 | +PackageVersion: 12.22.9 |
| 6 | +PackageLocale: en-US |
| 7 | +Publisher: Node.js Foundation |
| 8 | +PublisherUrl: https://openjsf.org/ |
| 9 | +PublisherSupportUrl: https://github.com/nodejs/node/blob/v12.22.9/.github/SUPPORT.md |
| 10 | +PrivacyUrl: https://privacy-policy.openjsf.org/ |
| 11 | +Author: OpenJS Foundation |
| 12 | +PackageName: Node.js 12 |
| 13 | +PackageUrl: https://nodejs.org/ |
| 14 | +License: MIT |
| 15 | +LicenseUrl: https://github.com/nodejs/node/blob/v12.22.9/LICENSE |
| 16 | +Copyright: Copyright Node.js contributors. All rights reserved. |
| 17 | +CopyrightUrl: https://trademark-policy.openjsf.org/ |
| 18 | +ShortDescription: Run JavaScript Everywhere |
| 19 | +Description: Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts. |
| 20 | +Moniker: nodejs-12 |
| 21 | +Tags: |
| 22 | +- coding |
| 23 | +- cross-platform |
| 24 | +- develop |
| 25 | +- development |
| 26 | +- environment |
| 27 | +- javascript |
| 28 | +- js |
| 29 | +- lts |
| 30 | +- node |
| 31 | +- npm |
| 32 | +- programming |
| 33 | +- runtime |
| 34 | +- v8 |
| 35 | +ReleaseNotes: |- |
| 36 | + This is a security release. |
| 37 | + Notable changes |
| 38 | + Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) |
| 39 | + Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly. |
| 40 | + Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option. |
| 41 | + More details will be available at CVE-2021-44531 after publication. |
| 42 | + Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532) |
| 43 | + Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints. |
| 44 | + Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option. |
| 45 | + More details will be available at CVE-2021-44532 after publication. |
| 46 | + Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533) |
| 47 | + Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification. |
| 48 | + Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable. |
| 49 | + More details will be available at CVE-2021-44533 after publication. |
| 50 | + Prototype pollution via console.table properties (Low)(CVE-2022-21824) |
| 51 | + Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype. |
| 52 | + Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to. |
| 53 | + More details will be available at CVE-2022-21824 after publication. |
| 54 | + Thanks to Patrik Oldsberg (rugvip) for reporting this vulnerability. |
| 55 | + Commits |
| 56 | + - [be69403528] - console: fix prototype pollution via console.table (Tobias Nießen) nodejs-private/node-private#307 |
| 57 | + - [19873abfb2] - crypto,tls: implement safe x509 GeneralName format (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300 |
| 58 | + - [ff9ac7d757] - doc: fix date for v12.22.8 (Richard Lau) #41213 |
| 59 | + - [a5c7843cab] - src: add cve reverts and associated tests (Michael Dawson and Akshay Kumar) nodejs-private/node-private#300 |
| 60 | + - [d4e5d1b9ca] - src: remove unused x509 functions (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300 |
| 61 | + - [8c2db2c86b] - tls: fix handling of x509 subject and issuer (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300 |
| 62 | + - [e0fe6a635e] - tls: drop support for URI alternative names (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300 |
| 63 | +ReleaseNotesUrl: https://github.com/nodejs/node/releases/tag/v12.22.9 |
| 64 | +Documentations: |
| 65 | +- DocumentLabel: Learn |
| 66 | + DocumentUrl: https://nodejs.org/learn/ |
| 67 | +- DocumentLabel: Documentation |
| 68 | + DocumentUrl: https://nodejs.org/docs/v12.22.9/api/ |
| 69 | +- DocumentLabel: About |
| 70 | + DocumentUrl: https://nodejs.org/about/ |
| 71 | +ManifestType: defaultLocale |
| 72 | +ManifestVersion: 1.10.0 |
0 commit comments