#18187 closed enhancement (fixed)
node.js-18.16.1
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point version.
Change History (6)
comment:1 by , 22 months ago
| Priority: | normal → elevated |
|---|
comment:2 by , 22 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 22 months ago
## 2023-06-20, Version 18.16.1 'Hydrogen' (LTS), @RafaelGSS This is a security release. ### Notable Changes The following CVEs are fixed in this release: * [CVE-2023-30581](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581): `mainModule.__proto__` Bypass Experimental Policy Mechanism (High) * [CVE-2023-30585](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585): Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) * [CVE-2023-30588](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588): Process interuption due to invalid Public Key information in x509 certificates (Medium) * [CVE-2023-30589](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30589): HTTP Request Smuggling via Empty headers separated by CR (Medium) * [CVE-2023-30590](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590): DiffieHellman does not generate keys after setting a private key (Medium) * OpenSSL Security Releases * [OpenSSL security advisory 28th March](https://www.openssl.org/news/secadv /20230328.txt). * [OpenSSL security advisory 20th April](https://www.openssl.org/news/secadv /20230420.txt). * [OpenSSL security advisory 30th May](https://www.openssl.org/news/secadv /20230530.txt) * c-ares vulnerabilities: * [GHSA-9g78-jv2r-p7vc](https://github.com/c-ares/c-ares/security/advisories/GHSA- 9g78-jv2r-p7vc) * [GHSA-8r8p-23f3-64c2](https://github.com/c-ares/c-ares/security/advisories/GHSA- 8r8p-23f3-64c2) * [GHSA-54xr-f67r-4pc4](https://github.com/c-ares/c-ares/security/advisories/GHSA- 54xr-f67r-4pc4) * [GHSA-x6mf-cxr9-8q6v](https://github.com/c-ares/c-ares/security/advisories/GHSA- x6mf-cxr9-8q6v) More detailed information on each of the vulnerabilities can be found in [June 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/june-2023-security- releases/) blog post. ### Commits crypto: handle cert with invalid SPKI gracefully deps: set `CARES_RANDOM_FILE` for c-ares deps: update c-ares to 1.19.1 deps: update archs files for openssl-3.0.9-quic1 deps: upgrade openssl sources to quictls/openssl-3.0.9-quic1 doc,test: clarify behavior of DH generateKeys http: disable request smuggling via rempty headers policy: handle mainModule.\_\_proto\_\_ bypass test: allow SIGBUS in signal-handler abort test
In our case, we're only affected by CVE-2023-30581, CVE-2023-30588, CVE-2023-30589, and CVE-2023-30590. We don't use the bundled c-ares or OpenSSL so we're not impacted by those, and we're not on Windows so the MSI Repair vulnerability doesn't affect us
I did trim the commits list to the ones only relevant for Linux.
More security details can be found here: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
The release notes can be found here: https://github.com/nodejs/node/commit/b607b74a4fb3640fc958cff1ff81ca7558134e9d
It's unfortunately too long for Github to render, so I just pointed to the diff from v18.16.0 -> v18.16.1.
comment:4 by , 22 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Moving to elevated for security fixes