From 960b20925b106dbdd92b490bb71621ef8de7d33f Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Tue, 17 Dec 2019 16:42:32 -0800 Subject: [PATCH 1/7] 2019-dec sec release post-announcement --- build.js | 2 +- .../december-2019-security-releases.md | 49 ++++++++++++++++++- 2 files changed, 48 insertions(+), 3 deletions(-) diff --git a/build.js b/build.js index 1a0e0a9a150eb..8e04ca9c54a8e 100755 --- a/build.js +++ b/build.js @@ -291,7 +291,7 @@ function getSource (callback) { }, banner: { visible: true, - text: 'New security releases to be made available Dec 17, 2019', + text: 'New security releases now available for all release lines', link: '/en/blog/vulnerability/december-2019-security-releases/' } } diff --git a/locale/en/blog/vulnerability/december-2019-security-releases.md b/locale/en/blog/vulnerability/december-2019-security-releases.md index eadcc4cfa240e..20b41eaa5a4e5 100644 --- a/locale/en/blog/vulnerability/december-2019-security-releases.md +++ b/locale/en/blog/vulnerability/december-2019-security-releases.md @@ -1,12 +1,57 @@ --- -date: 2019-12-12T18:20:47.733Z +date: 2019-12-18T00:23:00.000Z category: vulnerability title: December 2019 Security Releases slug: december-2019-security-releases layout: blog-post.hbs -author: Michael Dawson +author: Michael Dawson, Sam Roberts --- +## _(Update 18-December-2019)_ Releases available + +These releases update npm to v6.13.4 to address three vulnerabilities described below. + +All current release lines were affected. + +At this time, CVEs have been requested by npm, Inc. and are pending review. See https://twitter.com/ahmadnassri/status/1205132161961123841 for more information. + +### Global `node_modules` Binary Overwrite + +Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global `node_modules` Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. + +For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global `node_modules` directory. + +This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. + +* https://www.npmjs.com/advisories/1437 + +### Symlink reference outside of `node_modules` + +Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of `node_modules`. It is possible for packages to create symlinks to files outside of the`node_modules` folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the npm install are affected. + +This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. + +* https://www.npmjs.com/advisories/1436 + +### Arbitrary File Write + +Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended `node_modules` folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. It is only possible to affect files that the user running npm install has access to. + +This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. + +* https://www.npmjs.com/advisories/1434 + +### Downloads + +* [Node.js v13.4.0](https://nodejs.org/en/blog/release/v13.4.0/) +* [Node.js v12.14.0](https://nodejs.org/en/blog/release/v12.14.0/) +* [Node.js v10.18.0](https://nodejs.org/en/blog/release/v10.18.0/) +* [Node.js v8.17.0](https://nodejs.org/en/blog/release/v8.17.0/) + +Please note that this will be the final release of the v8.x line as support ends after December 31st, 2019. + +-------------------------------------- + # Summary The Node.js project will release new versions of all supported release lines on or shortly after Tuesday December 17, 2019 UTC. For versions 8, 10, and 12 the only update to the runtime in these releases will be an updated version of npm addressing the vulnerability announced in https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli. Version 13, while still being a security release, will include all commits that were scheduled to be included in the originally scheduled release. From 64249bc8cc54d8185e689cdb75d28c3d25be9288 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Tue, 17 Dec 2019 17:47:39 -0800 Subject: [PATCH 2/7] Update locale/en/blog/vulnerability/december-2019-security-releases.md Co-Authored-By: Colin Ihrig --- locale/en/blog/vulnerability/december-2019-security-releases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/locale/en/blog/vulnerability/december-2019-security-releases.md b/locale/en/blog/vulnerability/december-2019-security-releases.md index 20b41eaa5a4e5..ad891586b5f2f 100644 --- a/locale/en/blog/vulnerability/december-2019-security-releases.md +++ b/locale/en/blog/vulnerability/december-2019-security-releases.md @@ -37,7 +37,7 @@ This behavior is still possible through install scripts. This vulnerability bypa Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended `node_modules` folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. It is only possible to affect files that the user running npm install has access to. -This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. +This behavior is still possible through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option. * https://www.npmjs.com/advisories/1434 From 7f7843ee09fa99c3b929fd7ca8d42e4dc4ccd2d5 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Tue, 17 Dec 2019 17:47:59 -0800 Subject: [PATCH 3/7] Update locale/en/blog/vulnerability/december-2019-security-releases.md Co-Authored-By: Colin Ihrig --- locale/en/blog/vulnerability/december-2019-security-releases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/locale/en/blog/vulnerability/december-2019-security-releases.md b/locale/en/blog/vulnerability/december-2019-security-releases.md index ad891586b5f2f..215bbcd9fc5f3 100644 --- a/locale/en/blog/vulnerability/december-2019-security-releases.md +++ b/locale/en/blog/vulnerability/december-2019-security-releases.md @@ -35,7 +35,7 @@ This behavior is still possible through install scripts. This vulnerability bypa ### Arbitrary File Write -Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended `node_modules` folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. It is only possible to affect files that the user running npm install has access to. +Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended `node_modules` folder through the `bin` field. A properly constructed entry in the package.json `bin` field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. It is only possible to affect files that the user running `npm install` has access to. This behavior is still possible through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option. From 304507a714b0c5cfdd780fa63c0ae2d9749fef96 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Tue, 17 Dec 2019 17:48:12 -0800 Subject: [PATCH 4/7] Update locale/en/blog/vulnerability/december-2019-security-releases.md Co-Authored-By: Colin Ihrig --- locale/en/blog/vulnerability/december-2019-security-releases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/locale/en/blog/vulnerability/december-2019-security-releases.md b/locale/en/blog/vulnerability/december-2019-security-releases.md index 215bbcd9fc5f3..4b3f8b688e06c 100644 --- a/locale/en/blog/vulnerability/december-2019-security-releases.md +++ b/locale/en/blog/vulnerability/december-2019-security-releases.md @@ -29,7 +29,7 @@ This behavior is still allowed in local installations and also through install s Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of `node_modules`. It is possible for packages to create symlinks to files outside of the`node_modules` folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the npm install are affected. -This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. +This behavior is still possible through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option. * https://www.npmjs.com/advisories/1436 From 9bc3c6b7064217651a05f8f99e6ff93f8611f8eb Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Tue, 17 Dec 2019 17:48:24 -0800 Subject: [PATCH 5/7] Update locale/en/blog/vulnerability/december-2019-security-releases.md Co-Authored-By: Colin Ihrig --- locale/en/blog/vulnerability/december-2019-security-releases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/locale/en/blog/vulnerability/december-2019-security-releases.md b/locale/en/blog/vulnerability/december-2019-security-releases.md index 4b3f8b688e06c..d6cd6b99bbc60 100644 --- a/locale/en/blog/vulnerability/december-2019-security-releases.md +++ b/locale/en/blog/vulnerability/december-2019-security-releases.md @@ -21,7 +21,7 @@ Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global `node_modules For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global `node_modules` directory. -This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. +This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option. * https://www.npmjs.com/advisories/1437 From 705f3a8d45f890d6d83757cd027029beacd4cecb Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Tue, 17 Dec 2019 17:48:32 -0800 Subject: [PATCH 6/7] Update locale/en/blog/vulnerability/december-2019-security-releases.md Co-Authored-By: Colin Ihrig --- locale/en/blog/vulnerability/december-2019-security-releases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/locale/en/blog/vulnerability/december-2019-security-releases.md b/locale/en/blog/vulnerability/december-2019-security-releases.md index d6cd6b99bbc60..32392601a5cc0 100644 --- a/locale/en/blog/vulnerability/december-2019-security-releases.md +++ b/locale/en/blog/vulnerability/december-2019-security-releases.md @@ -19,7 +19,7 @@ At this time, CVEs have been requested by npm, Inc. and are pending review. See Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global `node_modules` Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. -For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global `node_modules` directory. +For example, if a package was installed globally and created a `serve` binary, any subsequent installs of packages that also create a `serve` binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global `node_modules` directory. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option. From 1d0f3f1b347efd3405c81c5923cf07f334c9ef09 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Tue, 17 Dec 2019 17:48:40 -0800 Subject: [PATCH 7/7] Update locale/en/blog/vulnerability/december-2019-security-releases.md Co-Authored-By: Colin Ihrig --- locale/en/blog/vulnerability/december-2019-security-releases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/locale/en/blog/vulnerability/december-2019-security-releases.md b/locale/en/blog/vulnerability/december-2019-security-releases.md index 32392601a5cc0..b983ac5e48c09 100644 --- a/locale/en/blog/vulnerability/december-2019-security-releases.md +++ b/locale/en/blog/vulnerability/december-2019-security-releases.md @@ -27,7 +27,7 @@ This behavior is still allowed in local installations and also through install s ### Symlink reference outside of `node_modules` -Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of `node_modules`. It is possible for packages to create symlinks to files outside of the`node_modules` folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the npm install are affected. +Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of `node_modules`. It is possible for packages to create symlinks to files outside of the `node_modules` folder through the `bin` field upon installation. A properly constructed entry in the package.json `bin` field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the `npm install` are affected. This behavior is still possible through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option.