2024-04-03, Version 20.12.1 'Iron' (LTS)

This is a security release. Notable changes: * CVE-2024-27983 - Assertion failed in node::http2::Http2Session::\~Http2Session() leads to HTTP/2 server crash- (High) * CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium) * llhttp version 9.2.1 * undici version 5.28.4 PR-URL: nodejs-private/node-private#575
tniessen · Apr 3, 2024 · 24d036b · 24d036b
1 parent dab20cc
commit 24d036b
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -50,7 +50,8 @@ release.
 <a href="doc/changelogs/CHANGELOG_V21.md#21.0.0">21.0.0</a><br/>
   </td>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V20.md#20.12.0">20.12.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V20.md#20.12.1">20.12.1</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V20.md#20.12.0">20.12.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V20.md#20.11.1">20.11.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V20.md#20.11.0">20.11.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V20.md#20.10.0">20.10.0</a><br/>

diff --git a/doc/changelogs/CHANGELOG_V20.md b/doc/changelogs/CHANGELOG_V20.md
@@ -9,6 +9,7 @@
 </tr>
 <tr>
 <td>
+<a href="#20.12.1">20.12.1</a><br/>
 <a href="#20.12.0">20.12.0</a><br/>
 <a href="#20.11.1">20.11.1</a><br/>
 <a href="#20.11.0">20.11.0</a><br/>
@@ -56,6 +57,25 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="20.12.1"></a>
+
+## 2024-04-03, Version 20.12.1 'Iron' (LTS), @RafaelGSS
+
+This is a security release
+
+### Notable Changes
+
+* CVE-2024-27983 - Assertion failed in node::http2::Http2Session::\~Http2Session() leads to HTTP/2 server crash- (High)
+* CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
+* llhttp version 9.2.1
+* undici version 5.28.4
+
+### Commits
+
+* \[[`bd8f10a257`](https://github.com/nodejs/node/commit/bd8f10a257)] - **deps**: update undici to v5.28.4 (Matteo Collina) [nodejs-private/node-private#576](https://github.com/nodejs-private/node-private/pull/576)
+* \[[`5e34540a96`](https://github.com/nodejs/node/commit/5e34540a96)] - **http**: do not allow OBS fold in headers by default (Paolo Insogna) [nodejs-private/node-private#557](https://github.com/nodejs-private/node-private/pull/557)
+* \[[`ba1ae6d188`](https://github.com/nodejs/node/commit/ba1ae6d188)] - **src**: ensure to close stream when destroying session (Anna Henningsen) [nodejs-private/node-private#561](https://github.com/nodejs-private/node-private/pull/561)
+
 <a id="20.12.0"></a>
 
 ## 2024-03-26, Version 20.12.0 'Iron' (LTS), @richardlau