From 6558cfc0b075adfffe0d8c87bbe0d3e0b9326ab5 Mon Sep 17 00:00:00 2001
From: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Date: Tue, 4 Feb 2020 17:58:51 +0000
Subject: [PATCH] 2020-02-06, Version 13.8.0 (Current)

This is a security release.

Vulnerabilities fixed:
* **CVE-2019-15606**:
      HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
      HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
      Remotely trigger an assertion on a TLS server with a malformed
      certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.

PR-URL: https://github.com/nodejs-private/node-private/pull/196
---
 CHANGELOG.md                    |  3 ++-
 doc/api/http.md                 |  4 ++--
 doc/changelogs/CHANGELOG_V13.md | 28 ++++++++++++++++++++++++++++
 src/node_version.h              |  6 +++---
 4 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c5c0fd7063cc34..de6e21fed04a4b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,7 +30,8 @@ release.
 </tr>
 <tr>
     <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V13.md#13.7.0">13.7.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V13.md#13.8.0">13.8.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V13.md#13.7.0">13.7.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V13.md#13.6.0">13.6.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V13.md#13.5.0">13.5.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V13.md#13.4.0">13.4.0</a><br/>
diff --git a/doc/api/http.md b/doc/api/http.md
index dd90b54d3e11cb..beba834bd72d4f 100644
--- a/doc/api/http.md
+++ b/doc/api/http.md
@@ -2031,7 +2031,7 @@ Found'`.
 <!-- YAML
 added: v0.1.13
 changes:
-  - version: REPLACEME
+  - version: v13.8.0
     pr-url: https://github.com/nodejs/node/pull/31448
     description: The `insecureHTTPParser` option is supported now.
   - version: v13.3.0
@@ -2162,7 +2162,7 @@ This can be overridden for servers and client requests by passing the
 <!-- YAML
 added: v0.3.6
 changes:
-  - version: REPLACEME
+  - version: v13.8.0
     pr-url: https://github.com/nodejs/node/pull/31448
     description: The `insecureHTTPParser` option is supported now.
   - version: v13.3.0
diff --git a/doc/changelogs/CHANGELOG_V13.md b/doc/changelogs/CHANGELOG_V13.md
index 7968c75ef26791..f32347987336e2 100644
--- a/doc/changelogs/CHANGELOG_V13.md
+++ b/doc/changelogs/CHANGELOG_V13.md
@@ -9,6 +9,7 @@
 </tr>
 <tr>
 <td>
+<a href="#13.8.0">13.8.0</a><br/>
 <a href="#13.7.0">13.7.0</a><br/>
 <a href="#13.6.0">13.6.0</a><br/>
 <a href="#13.5.0">13.5.0</a><br/>
@@ -37,6 +38,33 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="13.8.0"></a>
+## 2020-02-06, Version 13.8.0 (Current), @BethGriggs
+
+### Notable Changes
+
+This is a security release.
+
+Vulnerabilities fixed:
+* **CVE-2019-15606**: HTTP header values do not have trailing OWS trimmed.
+* **CVE-2019-15605**: HTTP request smuggling using malformed Transfer-Encoding header.
+* **CVE-2019-15604**: Remotely trigger an assertion on a TLS server with a malformed certificate string.
+
+Also, HTTP parsing is more strict to be more secure. Since this may
+cause problems in interoperability with some non-conformant HTTP
+implementations, it is possible to disable the strict checks with the
+`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
+http option. Using the insecure HTTP parser should be avoided.
+
+### Commits
+
+* [[`b7da194714`](https://github.com/nodejs/node/commit/b7da194714)] - **benchmark**: support optional headers with wrk (Sam Roberts) [nodejs-private/node-private#189](https://github.com/nodejs-private/node-private/pull/189)
+* [[`1156a9e5f8`](https://github.com/nodejs/node/commit/1156a9e5f8)] - **crypto**: fix assertion caused by unsupported ext (Fedor Indutny) [nodejs-private/node-private#175](https://github.com/nodejs-private/node-private/pull/175)
+* [[`8f41e837bb`](https://github.com/nodejs/node/commit/8f41e837bb)] - **deps**: update llhttp to 2.0.4 (Beth Griggs) [nodejs-private/node-private#199](https://github.com/nodejs-private/node-private/pull/199)
+* [[`07d56e49cf`](https://github.com/nodejs/node/commit/07d56e49cf)] - **(SEMVER-MINOR)** **http**: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) [#31448](https://github.com/nodejs/node/pull/31448)
+* [[`25b6897e8a`](https://github.com/nodejs/node/commit/25b6897e8a)] - **http**: strip trailing OWS from header values (Sam Roberts) [nodejs-private/node-private#189](https://github.com/nodejs-private/node-private/pull/189)
+* [[`eea3a7429b`](https://github.com/nodejs/node/commit/eea3a7429b)] - **test**: using TE to smuggle reqs is not possible (Sam Roberts) [nodejs-private/node-private#199](https://github.com/nodejs-private/node-private/pull/199)
+
 <a id="13.7.0"></a>
 ## 2020-01-21, Version 13.7.0 (Current), @codebytere
 
diff --git a/src/node_version.h b/src/node_version.h
index 2fc21b33d11f70..acfa5f18a498f5 100644
--- a/src/node_version.h
+++ b/src/node_version.h
@@ -23,13 +23,13 @@
 #define SRC_NODE_VERSION_H_
 
 #define NODE_MAJOR_VERSION 13
-#define NODE_MINOR_VERSION 7
-#define NODE_PATCH_VERSION 1
+#define NODE_MINOR_VERSION 8
+#define NODE_PATCH_VERSION 0
 
 #define NODE_VERSION_IS_LTS 0
 #define NODE_VERSION_LTS_CODENAME ""
 
-#define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_RELEASE 1
 
 #ifndef NODE_STRINGIFY
 #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)