nodemailer 9.0.2 → 9.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +7 -0
- package/lib/dkim/relaxed-body.js +1 -1
- package/lib/smtp-connection/index.js +23 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,12 @@
|
|
|
1
1
|
# CHANGELOG
|
|
2
2
|
|
|
3
|
+
## [9.0.3](https://github.com/nodemailer/nodemailer/compare/v9.0.2...v9.0.3) (2026-06-30)
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
### Bug Fixes
|
|
7
|
+
|
|
8
|
+
* **smtp-connection:** harden STARTTLS upgrade and secure socket handling ([#1835](https://github.com/nodemailer/nodemailer/issues/1835)) ([07d8253](https://github.com/nodemailer/nodemailer/commit/07d8253326ecefff9f7d92c157429ce8bc7335f8))
|
|
9
|
+
|
|
3
10
|
## [9.0.2](https://github.com/nodemailer/nodemailer/compare/v9.0.1...v9.0.2) (2026-06-29)
|
|
4
11
|
|
|
5
12
|
|
package/lib/dkim/relaxed-body.js
CHANGED
|
@@ -11,7 +11,7 @@ class RelaxedBody extends Transform {
|
|
|
11
11
|
options = options || {};
|
|
12
12
|
this.chunkBuffer = [];
|
|
13
13
|
this.chunkBufferLen = 0;
|
|
14
|
-
this.bodyHash = crypto.createHash(options.hashAlgo || '
|
|
14
|
+
this.bodyHash = crypto.createHash(options.hashAlgo || 'sha256');
|
|
15
15
|
this.remainder = '';
|
|
16
16
|
this.byteLength = 0;
|
|
17
17
|
|
|
@@ -298,6 +298,20 @@ class SMTPConnection extends EventEmitter {
|
|
|
298
298
|
try {
|
|
299
299
|
this._socket.connect(this.port, this.host, () => {
|
|
300
300
|
this._socket.setKeepAlive(true);
|
|
301
|
+
|
|
302
|
+
// a `secure` connection over a caller-provided socket must still
|
|
303
|
+
// perform the TLS handshake, otherwise AUTH and the message body
|
|
304
|
+
// would be sent in cleartext despite the caller requesting TLS
|
|
305
|
+
if (this.secureConnection && !this.alreadySecured) {
|
|
306
|
+
return this._upgradeConnection(err => {
|
|
307
|
+
if (err) {
|
|
308
|
+
this._onError(new Error('Error initiating TLS - ' + (err.message || err)), 'ETLS', false, 'CONN');
|
|
309
|
+
return;
|
|
310
|
+
}
|
|
311
|
+
this._onConnect();
|
|
312
|
+
});
|
|
313
|
+
}
|
|
314
|
+
|
|
301
315
|
this._onConnect();
|
|
302
316
|
});
|
|
303
317
|
this._setupConnectionHandlers();
|
|
@@ -1025,6 +1039,15 @@ class SMTPConnection extends EventEmitter {
|
|
|
1025
1039
|
* has been secured
|
|
1026
1040
|
*/
|
|
1027
1041
|
_upgradeConnection(callback) {
|
|
1042
|
+
// RFC 3207 section 6: the client MUST discard any knowledge obtained from
|
|
1043
|
+
// the server that was not received over the TLS-protected session. Drop any
|
|
1044
|
+
// buffered input received before the handshake so a man-in-the-middle cannot
|
|
1045
|
+
// inject plaintext bytes after the "220" reply (e.g. a CRLF-free fragment that
|
|
1046
|
+
// would otherwise be prepended to the first post-TLS response and parsed as
|
|
1047
|
+
// part of the secured EHLO capabilities). STARTTLS response injection.
|
|
1048
|
+
this._remainder = '';
|
|
1049
|
+
this._responseQueue = [];
|
|
1050
|
+
|
|
1028
1051
|
// do not remove all listeners or it breaks node v0.10 as there's
|
|
1029
1052
|
// apparently a 'finish' event set that would be cleared as well
|
|
1030
1053
|
|