Opened 3 years ago

Closed 3 years ago

#17119 closed enhancement (fixed)

node.js-16.17.1

Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: elevated Milestone: 11.3
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version containing several security fixes

Change History (5)

comment:1 by Bruce Dubbs, 3 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 3 years ago

2022-06-01, Version 17.9.1 (Current)

Notable Changes

  • Upgrade npm to 8.11.0
  • Update to OpenSSL 3.0.3

This update can be treated as a security release as the issues addressed in OpenSSL 3.0.3 slightly affect Node.js 17. See https://nodejs.org/en/blog/vulnerability/openssl-fixes-in-regular-releases-may2022/ for more information on how the May 2022 OpenSSL releases affect other Node.js release lines.

comment:3 by Bruce Dubbs, 3 years ago

Fixed at commit3ffc0fc91b876f93f1bded73250c3ea07fb2b147

Leaving open for security advisory.

comment:4 by Douglas R. Reno, 3 years ago

2022-09-23, Version 16.17.1 'Gallium' (LTS), @ruyadorno

Notable changes

The following CVEs are fixed in this release:

  • CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
  • CVE-2022-32213: bypass via obs-fold mechanic (Medium)
  • CVE-2022-35255: Weak randomness in WebCrypto keygen
  • CVE-2022-35256: HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)

More detailed information on each of the vulnerabilities can be found in September 22nd 2022 Security Releases blog post.

Commits

  • crypto: fix weak randomness in WebCrypto keygen (Ben Noordhuis) nodejs-private/node-private#346
  • http: disable chunked encoding when using OBS fold is used (Paolo Insogna) nodejs-private/node-private#341
  • src: fix IPv4 non routable validation (RafaelGSS) nodejs-private/node-private#337

comment:5 by Douglas R. Reno, 3 years ago

Resolution: fixed
Status: assignedclosed

SA-11.2-010 filed. Closing

Note: See TracTickets for help on using tickets.