Blog: add post security release blog post

RafaelGSS · Apr 3, 2024 · 2d31f57 · 2d31f57
1 parent 4f7c56b
commit 2d31f57
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 4 deletions.
diff --git a/pages/en/blog/vulnerability/april-2024-security-releases.md b/pages/en/blog/vulnerability/april-2024-security-releases.md
@@ -1,12 +1,45 @@
 ---
-date: 2024-03-27T03:00:00.000Z
+date: 2024-04-03T03:00:00.000Z
 category: vulnerability
 title: Wednesday, April 3, 2024 Security Releases
 slug: april-2024-security-releases
 layout: blog-post
 author: The Node.js Project
 ---
 
+## Security releases available
+
+Updates are now available for the v18.x, v20.x and 21.x Node.js release lines for the
+following issues.
+
+This security release includes the following dependency updates to address public vulnerabilities:
+
+- llhttp version 9.2.1 on 21.x, 20.x, and 18.x
+- undici version 6.11.1 on 21.x
+- undici version 5.28.4 on 18.x and 20.x
+
+## Assertion failed in node::http2::Http2Session::\~Http2Session() leads to HTTP/2 server crash (CVE-2024-27983) - (High)
+
+An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
+
+Impacts:
+
+- This vulnerability affects all users in all active release lines: 18.x, 20.x and, 21.x.
+
+Thank you, to bart for reporting this vulnerability and [Anna Henningsen](https://github.com/addaleax) for fixing it.
+
+## HTTP Request Smuggling via Content Length Obfuscation - (CVE-2024-27982) - (Medium)
+
+The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
+
+Impacts:
+
+- This vulnerability affects all users in all active release lines: 18.x, 20.x and, 21.x.
+
+Thank you, to bpingel for reporting this vulnerability and [Paolo Insogna](https://github.com/ShogunPanda) for fixing it.
+
+---
+
 # Summary
 
 The Node.js project will release new versions of the 18.x, 20.x, 21.x

diff --git a/site.json b/site.json
@@ -28,9 +28,9 @@
  ],
  "websiteBanners": {
  "index": {
- "startDate": "2024-03-28T13:45:00.000Z",
- "endDate": "2024-04-11T17:30:00.000Z",
- "text": "New security releases to be made available April 3rd, 2024",
+ "startDate": "2024-04-03T03:00:00.000Z",
+ "endDate": "2024-04-10T17:30:00.000Z",
+ "text": "Security releases are now available!",
  "link": "https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/",
  "type": "warning"
  }