From 9b1bf44ea9e7785e38c93b7d22d32dbca262df6c Mon Sep 17 00:00:00 2001 From: marco-ippolito Date: Wed, 7 Feb 2024 17:22:04 +0100 Subject: [PATCH] 2024-02-14, Version 20.11.1 'Iron' (LTS) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a security release. Notable changes: crypto: * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525 deps: * upgrade libuv to 1.48.0 (Santiago Gimeno) https://github.com/nodejs/node/pull/51699 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/51614 * disable io\_uring support in libuv by default (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/529 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) https://github.com/nodejs/node/pull/51737 fs: * protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/49 http: * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/519 lib: * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/539 * use cache fs internals against path traversal (RafaelGSS) https://github.com/nodejs-private/node-private/pull/516 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505 src,deps: * disable setuid() etc if io\_uring enabled (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/529 test,doc: * clarify wildcard usage (RafaelGSS) https://github.com/nodejs-private/node-private/pull/517 zlib: * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/541 PR-URL: https://github.com/nodejs-private/node-private/pull/544 --- CHANGELOG.md | 3 ++- doc/api/errors.md | 2 +- doc/changelogs/CHANGELOG_V20.md | 40 +++++++++++++++++++++++++++++++++ src/node_version.h | 2 +- 4 files changed, 44 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dc39073b06aba1..35ac4fb4b8c118 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,7 +35,8 @@ release. -20.11.0
+20.11.1
+20.11.0
20.10.0
20.9.0
20.8.1
diff --git a/doc/api/errors.md b/doc/api/errors.md index 251a0113aaf44b..1a7cd183a459eb 100644 --- a/doc/api/errors.md +++ b/doc/api/errors.md @@ -3160,7 +3160,7 @@ an `Error` with this code will be emitted. ### `HPE_CHUNK_EXTENSIONS_OVERFLOW` Too much data was received for a chunk extensions. In order to protect against diff --git a/doc/changelogs/CHANGELOG_V20.md b/doc/changelogs/CHANGELOG_V20.md index b0eb2ee4710126..0917a80e3379f9 100644 --- a/doc/changelogs/CHANGELOG_V20.md +++ b/doc/changelogs/CHANGELOG_V20.md @@ -9,6 +9,7 @@ +20.11.1
20.11.0
20.10.0
20.9.0
@@ -53,6 +54,45 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + + +## 2024-02-14, Version 20.11.1 'Iron' (LTS), @RafaelGSS prepared by @marco-ippolito + +### Notable changes + +This is a security release. + +### Notable changes + +* CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High) +* CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High) +* CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High) +* CVE-2024-22017 - setuid() does not drop all privileges due to io\_uring - (High) +* CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium) +* CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium) +* CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium) +* CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium) +* undici version 5.28.3 +* libuv version 1.48.0 +* OpenSSL version 3.0.13+quic1 + +### Commits + +* \[[`7079c062bb`](https://github.com/nodejs/node/commit/7079c062bb)] - **crypto**: disable PKCS#1 padding for privateDecrypt (Michael Dawson) [nodejs-private/node-private#525](https://github.com/nodejs-private/node-private/pull/525) +* \[[`186a6e1ffb`](https://github.com/nodejs/node/commit/186a6e1ffb)] - **deps**: fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) [#51737](https://github.com/nodejs/node/pull/51737) +* \[[`686da19abb`](https://github.com/nodejs/node/commit/686da19abb)] - **deps**: disable io\_uring support in libuv by default (Tobias Nießen) [nodejs-private/node-private#529](https://github.com/nodejs-private/node-private/pull/529) +* \[[`f7b44bfbce`](https://github.com/nodejs/node/commit/f7b44bfbce)] - **deps**: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) [#51614](https://github.com/nodejs/node/pull/51614) +* \[[`7a30fecea2`](https://github.com/nodejs/node/commit/7a30fecea2)] - **deps**: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) [#51614](https://github.com/nodejs/node/pull/51614) +* \[[`480fc169a8`](https://github.com/nodejs/node/commit/480fc169a8)] - **fs**: protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) [nodejs-private/node-private#497](https://github.com/nodejs-private/node-private/pull/497) +* \[[`77ac7c3153`](https://github.com/nodejs/node/commit/77ac7c3153)] - **http**: add maximum chunk extension size (Paolo Insogna) [nodejs-private/node-private#519](https://github.com/nodejs-private/node-private/pull/519) +* \[[`ed7d149675`](https://github.com/nodejs/node/commit/ed7d149675)] - **lib**: use cache fs internals against path traversal (RafaelGSS) [nodejs-private/node-private#516](https://github.com/nodejs-private/node-private/pull/516) +* \[[`89bd5fc38f`](https://github.com/nodejs/node/commit/89bd5fc38f)] - **lib**: update undici to v5.28.3 (Matteo Collina) [nodejs-private/node-private#539](https://github.com/nodejs-private/node-private/pull/539) +* \[[`d01dd4291d`](https://github.com/nodejs/node/commit/d01dd4291d)] - **permission**: fix wildcard when children > 1 (Rafael Gonzaga) [#51209](https://github.com/nodejs/node/pull/51209) +* \[[`40ff37dfcc`](https://github.com/nodejs/node/commit/40ff37dfcc)] - **src**: fix HasOnly(capability) in node::credentials (Tobias Nießen) [nodejs-private/node-private#505](https://github.com/nodejs-private/node-private/pull/505) +* \[[`3f6addd590`](https://github.com/nodejs/node/commit/3f6addd590)] - **src,deps**: disable setuid() etc if io\_uring enabled (Tobias Nießen) [nodejs-private/node-private#529](https://github.com/nodejs-private/node-private/pull/529) +* \[[`d6da413aa4`](https://github.com/nodejs/node/commit/d6da413aa4)] - **test,doc**: clarify wildcard usage (RafaelGSS) [nodejs-private/node-private#517](https://github.com/nodejs-private/node-private/pull/517) +* \[[`c213910aea`](https://github.com/nodejs/node/commit/c213910aea)] - **zlib**: pause stream if outgoing buffer is full (Matteo Collina) [nodejs-private/node-private#541](https://github.com/nodejs-private/node-private/pull/541) + ## 2024-01-09, Version 20.11.0 'Iron' (LTS), @UlisesGascon diff --git a/src/node_version.h b/src/node_version.h index 5d492d65f8de3b..8dc271d490e0b0 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -29,7 +29,7 @@ #define NODE_VERSION_IS_LTS 1 #define NODE_VERSION_LTS_CODENAME "Iron" -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)