Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patch security changes #1

Merged
merged 36 commits into from
Jul 4, 2023
Merged

Patch security changes #1

merged 36 commits into from
Jul 4, 2023

Conversation

denihs
Copy link

@denihs denihs commented Jun 22, 2023
edited
Loading

Node released a new security patch. Check it here.

These are the commits we already merged:

Not merged:

denihs and others added 4 commits June 21, 2023 15:53
@denihs
bump NODE_PATCH_VERSION
7b6b0d7
@targos @denihs
test: allow SIGBUS in signal-handler abort test
c33c6c6 
FreeBSD uses SIGBUS after update to v12.4.

Refs: nodejs/build#3134
PR-URL: nodejs#47851
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@RafaelGSS @denihs
policy: handle mainModule.__proto__ bypass
1fea04d 
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/418
PR-URL: https://github.com/nodejs-private/node-private/pull/416
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=1877919
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30581
@tniessen @denihs
msi: do not create AppData\Roaming\npm
0389f87 
This effectively reverts e431cae due to
security concerns. The directory is being created with elevated
privileges but its path may depend on an unprivileged user's environment
variables. Creating a directory in certain sensitive locations can cause
Windows to become inoperable.

Creating AppData\Roaming\npm was an intentional addition in order to
resolve nodejs/node-v0.x-archive#8141, which
appears to have been a common issue for users of npm. However, this was
implemented before 4cfe5eb, which
changed the MSI installation scope to perMachine. There were concerns
about creating the npm directory in that PR, albeit not related to
security (see nodejs/node-v0.x-archive#25640).

Refs: nodejs/node-v0.x-archive#8141
Refs: nodejs/node-v0.x-archive#8838
Refs: nodejs/node-v0.x-archive#25640
PR-URL: https://github.com/nodejs-private/node-private/pull/408
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/430
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30585
@CLAassistant
Copy link

CLAassistant commented Jun 22, 2023
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
2 out of 9 committers have signed the CLA.

✅ denihs
✅ Grubba27
❌ targos
❌ RafaelGSS
❌ richardlau
❌ tniessen
❌ ShogunPanda
❌ indutny
❌ mcollina
You have signed the CLA already but the status is still pending? Let us recheck it.

RafaelGSS and others added 8 commits June 22, 2023 10:55
@RafaelGSS @denihs
deps: update archs files for OpenSSL-1.1.1u+quic
2adbba5 
 After an OpenSSL source update, all the config files need to be
 regenerated and committed by:
    $ make -C deps/openssl/config
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl/include/crypto/bn_conf.h
    $ git add deps/openssl/openssl/include/crypto/dso_conf.h
    $ git add deps/openssl/openssl/include/openssl/opensslconf.h
    $ git commit

PR-URL: nodejs#48369
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>

# Conflicts:
#	deps/openssl/config/archs/BSD-x86/asm/configdata.pm
#	deps/openssl/config/archs/BSD-x86/asm/crypto/buildinf.h
#	deps/openssl/config/archs/BSD-x86/asm_avx2/configdata.pm
#	deps/openssl/config/archs/BSD-x86/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/BSD-x86/no-asm/configdata.pm
#	deps/openssl/config/archs/BSD-x86/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/BSD-x86_64/asm/configdata.pm
#	deps/openssl/config/archs/BSD-x86_64/asm/crypto/buildinf.h
#	deps/openssl/config/archs/BSD-x86_64/asm_avx2/configdata.pm
#	deps/openssl/config/archs/BSD-x86_64/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/BSD-x86_64/no-asm/configdata.pm
#	deps/openssl/config/archs/BSD-x86_64/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN32/asm/configdata.pm
#	deps/openssl/config/archs/VC-WIN32/asm/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN32/asm_avx2/configdata.pm
#	deps/openssl/config/archs/VC-WIN32/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN32/no-asm/configdata.pm
#	deps/openssl/config/archs/VC-WIN32/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN64-ARM/no-asm/configdata.pm
#	deps/openssl/config/archs/VC-WIN64-ARM/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN64A/asm/configdata.pm
#	deps/openssl/config/archs/VC-WIN64A/asm/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN64A/asm_avx2/configdata.pm
#	deps/openssl/config/archs/VC-WIN64A/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN64A/no-asm/configdata.pm
#	deps/openssl/config/archs/VC-WIN64A/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/aix-gcc/asm/configdata.pm
#	deps/openssl/config/archs/aix-gcc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/aix-gcc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/aix-gcc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/aix-gcc/no-asm/configdata.pm
#	deps/openssl/config/archs/aix-gcc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/aix64-gcc/asm/configdata.pm
#	deps/openssl/config/archs/aix64-gcc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/aix64-gcc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/aix64-gcc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/aix64-gcc/no-asm/configdata.pm
#	deps/openssl/config/archs/aix64-gcc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/darwin-i386-cc/asm/configdata.pm
#	deps/openssl/config/archs/darwin-i386-cc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/darwin-i386-cc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/darwin-i386-cc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/darwin-i386-cc/no-asm/configdata.pm
#	deps/openssl/config/archs/darwin-i386-cc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/darwin64-arm64-cc/asm/configdata.pm
#	deps/openssl/config/archs/darwin64-arm64-cc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/darwin64-arm64-cc/no-asm/configdata.pm
#	deps/openssl/config/archs/darwin64-arm64-cc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/darwin64-x86_64-cc/asm/configdata.pm
#	deps/openssl/config/archs/darwin64-x86_64-cc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/configdata.pm
#	deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-aarch64/asm/configdata.pm
#	deps/openssl/config/archs/linux-aarch64/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-aarch64/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-aarch64/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-aarch64/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-aarch64/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-armv4/asm/configdata.pm
#	deps/openssl/config/archs/linux-armv4/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-armv4/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-armv4/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-armv4/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-armv4/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-elf/asm/configdata.pm
#	deps/openssl/config/archs/linux-elf/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-elf/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-elf/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-elf/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-elf/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc/asm/configdata.pm
#	deps/openssl/config/archs/linux-ppc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-ppc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-ppc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc64/asm/configdata.pm
#	deps/openssl/config/archs/linux-ppc64/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc64/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-ppc64/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc64/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-ppc64/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc64le/asm/configdata.pm
#	deps/openssl/config/archs/linux-ppc64le/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc64le/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-ppc64le/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc64le/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-ppc64le/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-x86_64/asm/configdata.pm
#	deps/openssl/config/archs/linux-x86_64/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-x86_64/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-x86_64/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-x86_64/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-x86_64/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux32-s390x/asm/configdata.pm
#	deps/openssl/config/archs/linux32-s390x/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux32-s390x/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux32-s390x/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux32-s390x/no-asm/configdata.pm
#	deps/openssl/config/archs/linux32-s390x/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-mips64/asm/configdata.pm
#	deps/openssl/config/archs/linux64-mips64/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-mips64/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux64-mips64/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-mips64/no-asm/configdata.pm
#	deps/openssl/config/archs/linux64-mips64/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-riscv64/no-asm/configdata.pm
#	deps/openssl/config/archs/linux64-riscv64/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-riscv64/no-asm/openssl.gypi
#	deps/openssl/config/archs/linux64-s390x/asm/configdata.pm
#	deps/openssl/config/archs/linux64-s390x/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-s390x/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux64-s390x/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-s390x/no-asm/configdata.pm
#	deps/openssl/config/archs/linux64-s390x/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/solaris-x86-gcc/asm/configdata.pm
#	deps/openssl/config/archs/solaris-x86-gcc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/solaris-x86-gcc/no-asm/configdata.pm
#	deps/openssl/config/archs/solaris-x86-gcc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/solaris64-x86_64-gcc/asm/configdata.pm
#	deps/openssl/config/archs/solaris64-x86_64-gcc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/configdata.pm
#	deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/crypto/buildinf.h
@RafaelGSS @denihs
deps: update c-ares to 1.19.1
32bbd28 
PR-URL: nodejs#48115
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/437
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

# Conflicts:
#	deps/cares/CHANGES
#	deps/cares/CMakeLists.txt
#	deps/cares/RELEASE-NOTES
#	deps/cares/aminclude_static.am
#	deps/cares/configure
#	deps/cares/configure.ac
#	deps/cares/include/ares_version.h
#	deps/cares/src/lib/Makefile.in
#	deps/cares/src/lib/ares_data.h
#	deps/cares/src/lib/ares_destroy.c
#	deps/cares/src/lib/ares_getaddrinfo.c
#	deps/cares/src/lib/ares_init.c
#	deps/cares/src/lib/ares_strsplit.c
@richardlau @denihs
deps: set CARES_RANDOM_FILE for c-ares
7d4da40 
Upstream c-ares renamed `RANDOM_FILE` to `CARES_RANDOM_FILE` some
time ago in c-ares 1.17.2.

PR-URL: nodejs#48156
Refs: c-ares/c-ares#397
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@denihs
Revert "deps: set CARES_RANDOM_FILE for c-ares"
4e949cb 
This reverts commit 7d4da40.
@denihs
Revert "deps: update c-ares to 1.19.1"
89e2f47 
This reverts commit 32bbd28.
@denihs
Revert "Revert "deps: update c-ares to 1.19.1""
33c102e 
This reverts commit 89e2f47.
@denihs
Revert "Revert "deps: set CARES_RANDOM_FILE for c-ares""
58a9cc0 
This reverts commit 4e949cb.
@denihs
Revert "bump NODE_PATCH_VERSION"
278ea32 
This reverts commit 7b6b0d7.
@erikolofsson
Copy link

This is missing: nodejs@e42ff4b018
We definitely need the OpenSSL and c-ares updates as they contain security vulnerabilities.

We are already building node ourselves so I gave cherry-picking the fixes from node 16 a try to see what breaks. What I needed to do was:

  • Redo the OpenSSL import and arch files update directly from source according to the instructions in the commit message from the last OpenSSL update in node 14. This differs from node 16 where they use a fork of OpenSSL which includes quic.
  • Cherry-pick c-ares 1.19.0 update from node 16 before 1.19.1 as that was not included in node 14 previously.
  • Manually port the llhttp patch to the 2.1.x branch for llhttp that is used in node 14. Needed to change lenient flags check as that had been refactored in 6.x that is used in node 16. make release and copy the release directory to the deps/llhttp in node. See: Favro/llhttp@2e2886b

You can see the full list of commits I cherry-picked and successfully built here: Malterlib/node@edd64fe...b7ed6ae

We are using BoringSSL instead of OpenSSL, so I didn't try if the OpenSSL build works with the alternate method, but it should be ok.

@Grubba27 Grubba27 mentioned this pull request Jun 26, 2023
Merged
tniessen and others added 15 commits June 26, 2023 09:38
@tniessen @denihs
msi: do not create AppData\Roaming\npm
126cdbf 
This effectively reverts e431cae due to
security concerns. The directory is being created with elevated
privileges but its path may depend on an unprivileged user's environment
variables. Creating a directory in certain sensitive locations can cause
Windows to become inoperable.

Creating AppData\Roaming\npm was an intentional addition in order to
resolve nodejs/node-v0.x-archive#8141, which
appears to have been a common issue for users of npm. However, this was
implemented before 4cfe5eb, which
changed the MSI installation scope to perMachine. There were concerns
about creating the npm directory in that PR, albeit not related to
security (see nodejs/node-v0.x-archive#25640).

Refs: nodejs/node-v0.x-archive#8141
Refs: nodejs/node-v0.x-archive#8838
Refs: nodejs/node-v0.x-archive#25640
PR-URL: https://github.com/nodejs-private/node-private/pull/408
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/430
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30585
@RafaelGSS @denihs
policy: handle mainModule.__proto__ bypass
4f48806 
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/418
PR-URL: https://github.com/nodejs-private/node-private/pull/416
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=1877919
Reviewed-By: Rich Trott <rtrott@gmail.com>
CVE-ID: CVE-2023-30581
@targos @denihs
test: allow SIGBUS in signal-handler abort test
6db6599 
FreeBSD uses SIGBUS after update to v12.4.

Refs: nodejs/build#3134
PR-URL: nodejs#47851
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@ShogunPanda @denihs
http: disable request smuggling via empty headers
864798c 
PR-URL: https://github.com/nodejs-private/node-private/pull/429
Refs: https://github.com/nodejs-private/node-private/pull/427
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2023-30589

# Conflicts:
#	deps/llhttp/CMakeLists.txt
#	deps/llhttp/include/llhttp.h
#	deps/llhttp/src/llhttp.c
@denihs
additional properties to llhttp__internal_s struct
cd12609
@indutny @denihs
deps: update llhttp to 5.1.0
71a5671 
PR-URL: nodejs#38146
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniele Belardi <dwon.dnl@gmail.com>

# Conflicts:
#	deps/llhttp/README.md
#	deps/llhttp/include/llhttp.h
#	deps/llhttp/src/llhttp.c
@indutny @denihs
deps: update llhttp to 6.0.0
9874416 
See: nodejs#37678 (comment)

PR-URL: nodejs#38277
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
@indutny @denihs
deps: update llhttp to 6.0.1
992d075 
PR-URL: nodejs#38359
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
@mcollina @denihs
deps: update llhttp to 6.0.4
ab288b0 
Refs: https://hackerone.com/reports/1238099
Refs: https://hackerone.com/reports/1238709
Refs: https://github.com/nodejs-private/llhttp-private/pull/6
Refs: https://github.com/nodejs-private/llhttp-private/pull/5
CVE-ID: CVE-2021-22959
CVE-ID: CVE-2021-22960

PR-URL: https://github.com/nodejs-private/node-private/pull/284
Reviewed-By: Akshay K <iit.akshay@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>

# Conflicts:
#	deps/llhttp/CMakeLists.txt
#	deps/llhttp/include/llhttp.h
@ShogunPanda @denihs
http: stricter Transfer-Encoding and header separator parsing
95d1845 
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
PR-URL: https://github.com/nodejs-private/node-private/pull/315
CVE-ID: CVE-2022-32215,CVE-2022-32214,CVE-2022-32212

Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/326

# Conflicts:
#	test/parallel/test-http-missing-header-separator-cr.js
#	test/parallel/test-http-transfer-encoding-smuggling.js
@ShogunPanda @denihs
http: disable request smuggling via empty headers
d3a4b8c 
PR-URL: https://github.com/nodejs-private/node-private/pull/429
Refs: https://github.com/nodejs-private/node-private/pull/427
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2023-30589

# Conflicts:
#	deps/llhttp/CMakeLists.txt
#	deps/llhttp/include/llhttp.h
#	deps/llhttp/src/llhttp.c
@RafaelGSS @denihs
deps: upgrade openssl sources to OpenSSL_1_1_1u
6f0674e 
This updates all sources in deps/openssl/openssl by:
    $ git clone https://github.com/quictls/openssl
    $ cd openssl
    $ git checkout OpenSSL_1_1_1u+quic
    $ cd ../node/deps/openssl
    $ rm -rf openssl
    $ cp -R ../openssl openssl
    $ rm -rf openssl/.git* openssl/.travis*
    $ git add --all openssl
    $ git commit openssl

PR-URL: nodejs#48369
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>

# Conflicts:
#	deps/openssl/openssl/README.md
#	deps/openssl/openssl/include/openssl/opensslv.h
@RafaelGSS @denihs
deps: update archs files for OpenSSL-1.1.1u+quic
44858c2 
 After an OpenSSL source update, all the config files need to be
 regenerated and committed by:
    $ make -C deps/openssl/config
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl/include/crypto/bn_conf.h
    $ git add deps/openssl/openssl/include/crypto/dso_conf.h
    $ git add deps/openssl/openssl/include/openssl/opensslconf.h
    $ git commit

PR-URL: nodejs#48369
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>

# Conflicts:
#	deps/openssl/config/archs/BSD-x86/asm/configdata.pm
#	deps/openssl/config/archs/BSD-x86/asm/crypto/buildinf.h
#	deps/openssl/config/archs/BSD-x86/asm_avx2/configdata.pm
#	deps/openssl/config/archs/BSD-x86/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/BSD-x86/no-asm/configdata.pm
#	deps/openssl/config/archs/BSD-x86/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/BSD-x86_64/asm/configdata.pm
#	deps/openssl/config/archs/BSD-x86_64/asm/crypto/buildinf.h
#	deps/openssl/config/archs/BSD-x86_64/asm_avx2/configdata.pm
#	deps/openssl/config/archs/BSD-x86_64/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/BSD-x86_64/no-asm/configdata.pm
#	deps/openssl/config/archs/BSD-x86_64/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN32/asm/configdata.pm
#	deps/openssl/config/archs/VC-WIN32/asm/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN32/asm_avx2/configdata.pm
#	deps/openssl/config/archs/VC-WIN32/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN32/no-asm/configdata.pm
#	deps/openssl/config/archs/VC-WIN32/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN64-ARM/no-asm/configdata.pm
#	deps/openssl/config/archs/VC-WIN64-ARM/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN64A/asm/configdata.pm
#	deps/openssl/config/archs/VC-WIN64A/asm/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN64A/asm_avx2/configdata.pm
#	deps/openssl/config/archs/VC-WIN64A/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/VC-WIN64A/no-asm/configdata.pm
#	deps/openssl/config/archs/VC-WIN64A/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/aix-gcc/asm/configdata.pm
#	deps/openssl/config/archs/aix-gcc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/aix-gcc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/aix-gcc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/aix-gcc/no-asm/configdata.pm
#	deps/openssl/config/archs/aix-gcc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/aix64-gcc/asm/configdata.pm
#	deps/openssl/config/archs/aix64-gcc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/aix64-gcc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/aix64-gcc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/aix64-gcc/no-asm/configdata.pm
#	deps/openssl/config/archs/aix64-gcc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/darwin-i386-cc/asm/configdata.pm
#	deps/openssl/config/archs/darwin-i386-cc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/darwin-i386-cc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/darwin-i386-cc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/darwin-i386-cc/no-asm/configdata.pm
#	deps/openssl/config/archs/darwin-i386-cc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/darwin64-arm64-cc/asm/configdata.pm
#	deps/openssl/config/archs/darwin64-arm64-cc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/darwin64-arm64-cc/no-asm/configdata.pm
#	deps/openssl/config/archs/darwin64-arm64-cc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/darwin64-x86_64-cc/asm/configdata.pm
#	deps/openssl/config/archs/darwin64-x86_64-cc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/configdata.pm
#	deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-aarch64/asm/configdata.pm
#	deps/openssl/config/archs/linux-aarch64/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-aarch64/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-aarch64/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-aarch64/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-aarch64/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-armv4/asm/configdata.pm
#	deps/openssl/config/archs/linux-armv4/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-armv4/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-armv4/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-armv4/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-armv4/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-elf/asm/configdata.pm
#	deps/openssl/config/archs/linux-elf/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-elf/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-elf/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-elf/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-elf/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc/asm/configdata.pm
#	deps/openssl/config/archs/linux-ppc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-ppc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-ppc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc64/asm/configdata.pm
#	deps/openssl/config/archs/linux-ppc64/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc64/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-ppc64/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc64/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-ppc64/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc64le/asm/configdata.pm
#	deps/openssl/config/archs/linux-ppc64le/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc64le/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-ppc64le/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-ppc64le/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-ppc64le/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-x86_64/asm/configdata.pm
#	deps/openssl/config/archs/linux-x86_64/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux-x86_64/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux-x86_64/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux-x86_64/no-asm/configdata.pm
#	deps/openssl/config/archs/linux-x86_64/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux32-s390x/asm/configdata.pm
#	deps/openssl/config/archs/linux32-s390x/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux32-s390x/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux32-s390x/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux32-s390x/no-asm/configdata.pm
#	deps/openssl/config/archs/linux32-s390x/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-mips64/asm/configdata.pm
#	deps/openssl/config/archs/linux64-mips64/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-mips64/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux64-mips64/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-mips64/no-asm/configdata.pm
#	deps/openssl/config/archs/linux64-mips64/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-riscv64/no-asm/configdata.pm
#	deps/openssl/config/archs/linux64-riscv64/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-riscv64/no-asm/openssl.gypi
#	deps/openssl/config/archs/linux64-s390x/asm/configdata.pm
#	deps/openssl/config/archs/linux64-s390x/asm/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-s390x/asm_avx2/configdata.pm
#	deps/openssl/config/archs/linux64-s390x/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/linux64-s390x/no-asm/configdata.pm
#	deps/openssl/config/archs/linux64-s390x/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/solaris-x86-gcc/asm/configdata.pm
#	deps/openssl/config/archs/solaris-x86-gcc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/solaris-x86-gcc/no-asm/configdata.pm
#	deps/openssl/config/archs/solaris-x86-gcc/no-asm/crypto/buildinf.h
#	deps/openssl/config/archs/solaris64-x86_64-gcc/asm/configdata.pm
#	deps/openssl/config/archs/solaris64-x86_64-gcc/asm/crypto/buildinf.h
#	deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/configdata.pm
#	deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/crypto/buildinf.h
#	deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/configdata.pm
#	deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/crypto/buildinf.h
@denihs
bring changes to test-process-versions.js from node/v16.x branch
9a977f2
@RafaelGSS @denihs
deps: update c-ares to 1.19.1
e8cda79 
PR-URL: nodejs#48115
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/437
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

# Conflicts:
#	deps/cares/CHANGES
#	deps/cares/CMakeLists.txt
#	deps/cares/RELEASE-NOTES
#	deps/cares/aminclude_static.am
#	deps/cares/configure
#	deps/cares/configure.ac
#	deps/cares/include/ares_version.h
#	deps/cares/src/lib/Makefile.in
#	deps/cares/src/lib/ares_data.h
#	deps/cares/src/lib/ares_destroy.c
#	deps/cares/src/lib/ares_getaddrinfo.c
#	deps/cares/src/lib/ares_init.c
#	deps/cares/src/lib/ares_strsplit.c
richardlau and others added 9 commits July 3, 2023 15:33
@richardlau @denihs
deps: set CARES_RANDOM_FILE for c-ares
8baf61c 
Upstream c-ares renamed `RANDOM_FILE` to `CARES_RANDOM_FILE` some
time ago in c-ares 1.17.2.

PR-URL: nodejs#48156
Refs: c-ares/c-ares#397
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@targos @denihs
deps: update c-ares to 1.19.0
7e35b7e 
Refs: https://c-ares.org/changelog.html#1_19_0
PR-URL: nodejs#46415
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
@RafaelGSS @denihs
deps: update c-ares to 1.19.1
04a0514 
PR-URL: nodejs#48115
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/437
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
@tniessen @denihs
crypto: handle cert with invalid SPKI gracefully
8e59989 
When attempting to convert the SPKI of a X509Certificate to a KeyObject,
throw an error if the subjectPublicKey cannot be parsed instead of
aborting the process.

Fixes: https://hackerone.com/bugs?report_id=1884159
PR-URL: https://github.com/nodejs-private/node-private/pull/393/
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
CVE-ID: CVE-2023-30588

# Conflicts:
#	src/crypto/crypto_x509.cc
#	test/parallel/test-crypto-x509.js
@denihs
Revert "crypto: handle cert with invalid SPKI gracefully"
df894b7 
This reverts commit 8e59989.
@tniessen @denihs
doc,test: clarify behavior of DH generateKeys
2f31a9d 
The DiffieHellman class is an old and thin wrapper around certain
OpenSSL functions, many of which are deprecated in OpenSSL 3.0. Because
the Node.js API mirrors the OpenSSL API, it adopts some of its
peculiarities, but the Node.js documentation does not properly reflect
these. Most importantly, despite the documentation saying otherwise,
diffieHellman.generateKeys() does not generate a new private key when
one has already been set or generated. Based on the documentation alone,
users may be led to misuse the API in a way that results in key reuse,
which can have drastic negative consequences for subsequent operations
that consume the shared secret.

These design issues in this old API have been around for many years, and
we are not currently aware of any misuse in the ecosystem that falls
into the above scenario. Changing the behavior of the API would be a
significant breaking change and is thus not appropriate for a security
release (nor is it a goal.) The reported issue is treated as CWE-1068
(after a vast amount of uncertainty whether to treat it as a
vulnerability at all), therefore, this change only updates the
documentation to match the actual behavior. Tests are also added that
demonstrate this particular oddity.

Newer APIs exist that can be used for some, but not all, Diffie-Hellman
operations (e.g., crypto.diffieHellman() that was added in 2020). We
should keep modernizing crypto APIs, but that is a non-goal for this
security release.

The ECDH class mirrors the DiffieHellman class in many ways, but it does
not appear to be affected by this particular peculiarity. In particular,
ecdh.generateKeys() does appear to always generate a new private key.

PR-URL: https://github.com/nodejs-private/node-private/pull/426
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
CVE-ID: CVE-2023-30590

# Conflicts:
#	doc/api/crypto.md
#	test/parallel/test-crypto-dh.js
@denihs
Revert "doc,test: clarify behavior of DH generateKeys"
d747fc7 
This reverts commit 2f31a9d.
@denihs
Merge branch 'chore-patch-security-14.21.4' into patch-security-14.21.4
a6106a3
@Grubba27
added patch
76dc7a6
@Grubba27 Grubba27 merged commit 2d931e1 into release-v14.x Jul 4, 2023
@antobinary antobinary mentioned this pull request Aug 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Grubba27 Grubba27 Grubba27 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.