2020-06-02, Version 14.4.0 (Current)

targos · targos · commit 27adbf027f2d · 2020-06-02T15:58:27.000+02:00
This is a security release. Notable changes: Vulnerabilities fixed: CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High). CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low). CVE-2020-8174: `napi_get_value_string_*()` allows various kinds of memory corruption (High). PR-URL: nodejs-private/node-private#212
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -31,7 +31,8 @@ release.
 </tr>
 <tr>
     <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V14.md#14.3.0">14.3.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V14.md#14.4.0">14.4.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V14.md#14.3.0">14.3.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V14.md#14.2.0">14.2.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V14.md#14.1.0">14.1.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V14.md#14.0.0">14.0.0</a><br/>
diff --git a/doc/api/http2.md b/doc/api/http2.md
@@ -1991,7 +1991,8 @@ value only affects new connections to the server, not any existing connections.
 <!-- YAML
 added: v8.4.0
 changes:
-  - version: REPLACEME
+  - version:
+     - v14.4.0
     pr-url: https://github.com/nodejs-private/node-private/pull/204
     description: Added `maxSettings` option with a default of 32.
   - version:
@@ -2127,7 +2128,8 @@ server.listen(80);
 <!-- YAML
 added: v8.4.0
 changes:
-  - version: REPLACEME
+  - version:
+     - v14.4.0
     pr-url: https://github.com/nodejs-private/node-private/pull/204
     description: Added `maxSettings` option with a default of 32.
   - version:
@@ -2250,7 +2252,8 @@ server.listen(80);
 <!-- YAML
 added: v8.4.0
 changes:
-  - version: REPLACEME
+  - version:
+     - v14.4.0
     pr-url: https://github.com/nodejs-private/node-private/pull/204
     description: Added `maxSettings` option with a default of 32.
   - version: v13.0.0
diff --git a/doc/changelogs/CHANGELOG_V14.md b/doc/changelogs/CHANGELOG_V14.md
@@ -10,6 +10,7 @@
 </tr>
 <tr>
 <td>
+<a href="#14.4.0">14.4.0</a><br/>
 <a href="#14.3.0">14.3.0</a><br/>
 <a href="#14.2.0">14.2.0</a><br/>
 <a href="#14.1.0">14.1.0</a><br/>
@@ -34,6 +35,27 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="14.4.0"></a>
+## 2020-06-02, Version 14.4.0 (Current), @targos
+
+### Notable changes
+
+This is a security release.
+
+Vulnerabilities fixed:
+* **CVE-2020-8172**: TLS session reuse can lead to host certificate verification bypass (High).
+* **CVE-2020-11080**: HTTP/2 Large Settings Frame DoS (Low).
+* **CVE-2020-8174**: `napi_get_value_string_*()` allows various kinds of memory corruption (High).
+
+### Commits
+
+* [[`07a4d5061f`](https://github.com/nodejs/node/commit/07a4d5061f)] - **crypto**: update root certificates (AshCripps) [#33682](https://github.com/nodejs/node/pull/33682)
+* [[`0a7bf50fd4`](https://github.com/nodejs/node/commit/0a7bf50fd4)] - **(SEMVER-MINOR)** **deps**: update nghttp2 to 1.41.0 (James M Snell) [nodejs-private/node-private#204](https://github.com/nodejs-private/node-private/pull/204)
+* [[`55e4c72af8`](https://github.com/nodejs/node/commit/55e4c72af8)] - **(SEMVER-MINOR)** **http2**: implement support for max settings entries (James M Snell) [nodejs-private/node-private#204](https://github.com/nodejs-private/node-private/pull/204)
+* [[`290720d16a`](https://github.com/nodejs/node/commit/290720d16a)] - **napi**: fix memory corruption vulnerability (Tobias Nießen) [nodejs-private/node-private#195](https://github.com/nodejs-private/node-private/pull/195)
+* [[`94571c1001`](https://github.com/nodejs/node/commit/94571c1001)] - **tls**: emit `session` after verifying certificate (Fedor Indutny) [nodejs-private/node-private#200](https://github.com/nodejs-private/node-private/pull/200)
+* [[`1658cf9ee6`](https://github.com/nodejs/node/commit/1658cf9ee6)] - **tools**: update certdata.txt (AshCripps) [#33682](https://github.com/nodejs/node/pull/33682)
+
 <a id="14.3.0"></a>
 ## 2020-05-19, Version 14.3.0 (Current), @codebytere
 
diff --git a/src/node_version.h b/src/node_version.h
@@ -23,13 +23,13 @@
 #define SRC_NODE_VERSION_H_
 
 #define NODE_MAJOR_VERSION 14
-#define NODE_MINOR_VERSION 3
-#define NODE_PATCH_VERSION 1
+#define NODE_MINOR_VERSION 4
+#define NODE_PATCH_VERSION 0
 
 #define NODE_VERSION_IS_LTS 0
 #define NODE_VERSION_LTS_CODENAME ""
 
-#define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_RELEASE 1
 
 #ifndef NODE_STRINGIFY
 #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)
