Node.js 17.3.1 軟體資訊交流 Mac

winXmac軟體社群 Mac 影像繪圖 Johan Mattsson 免費軟體 Rate 100

BirdFont for Mac,軟體教學,軟體下載,軟體社群,Windows軟體,Mac軟體

Node.js 17.3.1 Mac

Birdfont for Mac 是一款免費的字體編輯器,可讓您創建矢量圖形並導出 TTF,EOT 和 SVG 字體。這是一個免費的應用程序,但鼓勵在開發者頁面 10 美元或以上的捐款,並允許您下載商業版本的 BirdFont,它允許您創建專有字體.8997423

檔案版本 Node.js 17.3.1
檔案名稱 node-v17.3.1.pkg
系統 Mac OS X 10.6 or later
軟體類型 免費軟體
作者 Johan Mattsson
軟體類型 2022-01-11

What's new in this version:

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531):
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option
- More details will be available at CVE-2021-44531 after publication

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532):
- Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.
- More details will be available at CVE-2021-44532 after publication

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533):
- Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.
- Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.
- More details will be available at CVE-2021-44533 after publication

Prototype pollution via console.table properties (Low)(CVE-2022-21824):
- Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to
- More details will be available at CVE-2022-21824 after publication
- Thanks to Patrik Oldsberg (rugvip) for reporting this vulnerability

檔案下載 檔案下載