The SDK-for-Node.js buildpack includes the community January/February 2021 security releases and updated Node.js runtimes.
The January 2021 security release includes fixes for the following:
- Use-after-free in TLSWrap (High) (CVE-2020-8265), which impacts all 10.x, 12.x, and 14.x runtimes.
- HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287), which impacts all 10.x, 12.x, and 14.x runtimes.
- OpenSSL – EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971), which affects all 10.x, 12.x, and 14.x runtimes.
The February 2021 security release includes fixes for the following:
- HTTP2 ‘unknownProtocol’ cause Denial of Service by resource exhaustion (Critical) (CVE-2021-22883), which impacts all 10.x, 12.x, and 14.x runtimes.
- DNS rebinding in –inspect (CVE-2021-22884), which impacts all 10.x, 12.x, and 14.x runtimes.
- OpenSSL – Integer overflow in CipherUpdate (CVE-2021-23840), which impacts all 10.x, 12.x, and 14.x runtimes.
This buildpack contains the following Node.js runtimes: v10.23.3, v10.24.0, v12.20.2, v12.21.0, v14.15.5, v14.16.0. It is based on the community Node.js buildpack v1.7.44. The latest v10 runtime is the default runtime when one is not specified in the package.json. An existing application will not be affected by the new buildpack until you redeploy or restage. New applications will automatically use the new buildpack.