2024-04-03, Version 21.7.2 (Current), @RafaelGSS prepared by @marco-ippolito

RafaelGSS released this 03 Apr 14:26

· 2913 commits to main since this release

This is a security release.

Notable changes

CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation- (Medium)
llhttp version 9.2.1
undici version 6.11.1

Commits

[3dfc10c851] - deps: update undici to 6.11.1 (Node.js GitHub Bot) #52328
[aceea1c5e7] - deps: update undici to 6.10.2 (Node.js GitHub Bot) #52227
[5f0f96b275] - deps: update llhttp to 9.2.0 (Node.js GitHub Bot) #51719
[1a65e98e22] - http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#556
[3bd39fb474] - src: ensure to close stream when destroying session (Anna Henningsen) nodejs-private/node-private#561

Assets 2