Opened 14 months ago
Closed 14 months ago
#17669 closed defect (fixed)
node.js v18.14.1
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
This contains fixes for the following five vulnerabilities, in addition to shipping updated OpenSSL (that part should not affect us since we use system OpenSSL):
CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
CVE-2023-23936: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)
CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)
CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
Note:
See TracTickets
for help on using tickets.
Forgot to re-push after git pull --no-ff and rebase during first attempt, now pushed in 9bea06ac87eabf0e58595234e8b7f8eb2be612da 11.2-1222.
Security Advisory SA 11.2-097 created.