node.js-18.17.1

[Bruce Dubbs]

New point version.

[ken@…]

See ​https://nodejs.org/en/blog/release/v18.17.1 for the release note, further details at ​https://nodejs.org/en/blog/vulnerability/august-2023-security-releases

A quick reading of that suggested that all the affected vulnerabilities are in experimental features, but I guess that those appear to always get enabled. I asked on oss-security last night, and if they can be disabled, or if impacted users can be detected, but it's a bit early to get a response and maybe nobody there knows.

[ken@…]

Looking at this on a recent system with optimizations and hardening in the system, I'm getting a lot more failures than the book reports for v18.17.0:

Failed tests:
out/Release/node --tls-min-v1.0 /tmp/node-v18.17.1/test/parallel/test-https-agent-session-eviction.js
out/Release/node /tmp/node-v18.17.1/test/parallel/test-tls-alert.js
out/Release/node --tls-max-v1.3 /tmp/node-v18.17.1/test/parallel/test-tls-cli-max-version-1.3.js
out/Release/node --tls-min-v1.1 /tmp/node-v18.17.1/test/parallel/test-tls-cli-min-version-1.1.js
out/Release/node --tls-max-v1.2 /tmp/node-v18.17.1/test/parallel/test-tls-cli-max-version-1.2.js
out/Release/node --tls-min-v1.3 /tmp/node-v18.17.1/test/parallel/test-tls-cli-min-version-1.3.js
out/Release/node --tls-min-v1.2 /tmp/node-v18.17.1/test/parallel/test-tls-cli-min-version-1.2.js
out/Release/node /tmp/node-v18.17.1/test/parallel/test-tls-getprotocol.js
out/Release/node /tmp/node-v18.17.1/test/parallel/test-tls-min-max-version.js
out/Release/node /tmp/node-v18.17.1/test/parallel/test-tls-session-cache.js
make[1]: *** [Makefile:308: jstest] Error 1
make: *** [Makefile:342: test-only] Error 2

[ken@…]

Remaining measurements from my build:

time [ -j8 ] 13.3 SBU plus 3.4 SBU for testing

space 971 MB + 25 MB for tests.

Seems to work adequately on brief tests, but these figures are so differnet from what is in hte book that I'm not willing to take this.

[Douglas R. Reno]

## 2023-08-09, Version 18.17.1 'Hydrogen' (LTS), @RafaelGSS

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

* CVE-2023-32002:  Policies can be bypassed via Module.\_load (High)
* CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
* CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
* OpenSSL Security Releases
  * [OpenSSL security advisory 14th July](https://mta.openssl.org/pipermail/openssl-
    announce/2023-July/000264.html).
  * [OpenSSL security advisory 19th July](https://mta.openssl.org/pipermail/openssl-
    announce/2023-July/000265.html).
  * [OpenSSL security advisory 31st July](https://mta.openssl.org/pipermail/openssl-
    announce/2023-July/000267.html)

More detailed information on each of the vulnerabilities can be found in [August 2023 
Security Releases](https://nodejs.org/en/blog/vulnerability/august-2023-security-
releases/) blog post.

Commits

deps: update archs files for openssl-3.0.10+quic1
deps: upgrade openssl sources to quictls/openssl-3.0.10+quic1
policy: handle Module.constructor and main.extensions bypass
policy: disable process.binding() when enabled

Waiting on stats at the moment

[Douglas R. Reno]

I've got SA-11.3-077 queued up while waiting

[Douglas R. Reno]

My stats are within margin of error of yours:

I'm getting 13 SBU for build without tests at -j8, I think that's probably within margin of error if you're still using GCC-13.1. My build size is 992 MB

Now waiting on tests

[Douglas R. Reno]

3.3 SBUs for tests here

Failed tests:
out/Release/node --tls-min-v1.0 /sources/node-v18.17.1/node-v18.17.1/test/parallel/test-https-agent-session-eviction.js
out/Release/node /sources/node-v18.17.1/node-v18.17.1/test/parallel/test-net-socket-connect-without-cb.js
out/Release/node --expose-internals /sources/node-v18.17.1/node-v18.17.1/test/parallel/test-tcp-wrap-listen.js
out/Release/node /sources/node-v18.17.1/node-v18.17.1/test/parallel/test-tls-alert.js
out/Release/node --tls-max-v1.3 /sources/node-v18.17.1/node-v18.17.1/test/parallel/test-tls-cli-max-version-1.3.js
out/Release/node --tls-min-v1.1 /sources/node-v18.17.1/node-v18.17.1/test/parallel/test-tls-cli-min-version-1.1.js
out/Release/node --tls-min-v1.2 /sources/node-v18.17.1/node-v18.17.1/test/parallel/test-tls-cli-min-version-1.2.js
out/Release/node --tls-max-v1.2 /sources/node-v18.17.1/node-v18.17.1/test/parallel/test-tls-cli-max-version-1.2.js
out/Release/node --tls-min-v1.3 /sources/node-v18.17.1/node-v18.17.1/test/parallel/test-tls-cli-min-version-1.3.js
out/Release/node /sources/node-v18.17.1/node-v18.17.1/test/parallel/test-tls-getprotocol.js
out/Release/node /sources/node-v18.17.1/node-v18.17.1/test/parallel/test-tls-min-max-version.js
out/Release/node /sources/node-v18.17.1/node-v18.17.1/test/parallel/test-tls-session-cache.js
out/Release/node /sources/node-v18.17.1/node-v18.17.1/test/parallel/test-dns-perf_hooks.js

Some of these were timeouts, but others seem to be because it's expecting TLS V1 support to be available and our version of OpenSSL does not return what it expects:

+ 'ERR_SSL_NO_PROTOCOLS_AVAILABLE'
- 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION'

[Douglas R. Reno]

It looks like these are new to 18.17.1, but I also didn't have OpenSSL-3.1 when I was building Node last

[Douglas R. Reno]

Going to try a build of 18.17.0 real quick to isolate OpenSSL as the cause, but otherwise I've got it queued up and ready to go

[Douglas R. Reno]

18.17.0 has the same failures, I suspect it's due to OpenSSL-3.1.x

[Douglas R. Reno]

Fixed at 7aedf147ed4c44615ef23c34883b2bf92c5d53dd

SA-11.3-077 issued