Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Node v20.15.1 nsolid v5.3.1 release #153

Merged
merged 10 commits into from
Jul 8, 2024
Merged

Node v20.15.1 nsolid v5.3.1 release #153

merged 10 commits into from
Jul 8, 2024

Conversation

trevnorris
Copy link
Member

No description provided.

marco-ippolito and others added 9 commits June 20, 2024 17:48
@marco-ippolito
Working on v20.15.1
d162dca 
PR-URL: nodejs/node#53486
@RafaelGSS
lib,permission: disable fchmod/fchown when pm enabled
d38ea17 
PR-URL: nodejs-private/node-private#584
Refs: https://hackerone.com/reports/2472071
CVE-ID: CVE-2024-36137
@RafaelGSS
lib,permission: support fs.lstat
025cbd6 
PR-URL: nodejs-private/node-private#486
Backport-PR-URL: nodejs-private/node-private#604
CVE-ID: CVE-2024-22018
@RafaelGSS
src,permission: resolve path on fs_permission
484cb0f 
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: nodejs/node#52761
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
@RafaelGSS
src: handle permissive extension on cmd check
1ba624c 
PR-URL: nodejs-private/node-private#596
Backport-PR-URL: nodejs-private/node-private#605
CVE-ID: CVE-2024-36138
@RafaelGSS
lib,esm: handle bypass network-import via data:
60e184a 
PR-URL: nodejs-private/node-private#522
CVE-ID: CVE-2024-22020
@RafaelGSS
src,permission: fix UNC path resolution
2524d00 
PR-URL: nodejs-private/node-private#581
CVE-ID: CVE-2024-37372
@RafaelGSS
2024-07-08, Version 20.15.1 'Iron' (LTS)
a407d1f 
This is a security release.

Notable changes:

* CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
* CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
* CVE-2024-22018 - fs.lstat bypasses permission model (Low)
* CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
* CVE-2024-37372 - Permission model improperly processes UNC paths (Low)

PR-URL: nodejs-private/node-private#608
@trevnorris
Merge tag 'v20.15.1' into node-v20.15.1-nsolid-v5.3.1-release
9d83482 
2024-07-08 Node.js v20.15.1 'Iron' (LTS) Release
Git-EVTag-v0-SHA512: a9761cc35145f50e8e3606a285e2843b47e6b430b650c7449fcf4e246b064ff29e74b301dd9b92c0bdd022a8c8aec4a46cb43473864f0d4591f9f4052e1130bf
@trevnorris trevnorris self-assigned this Jul 8, 2024
juanarbol
juanarbol approved these changes Jul 8, 2024
View reviewed changes
Copy link
Contributor

@juanarbol juanarbol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@trevnorris
2024-07-08, Version 20.15.1-nsolid-v5.3.1 'Iron'
b165ab2 
PR-URL: #153
Reviewed-by: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-by: RafaelGSS <rafael.nunu@hotmail.com>
@trevnorris trevnorris force-pushed the node-v20.15.1-nsolid-v5.3.1-release branch from 31000e9 to b165ab2 Compare July 8, 2024 20:18
@trevnorris trevnorris merged commit ea1f715 into node-v20.x-nsolid-v5.x Jul 8, 2024
16 of 18 checks passed
@trevnorris trevnorris deleted the node-v20.15.1-nsolid-v5.3.1-release branch July 8, 2024 20:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juanarbol juanarbol juanarbol approved these changes

@RafaelGSS RafaelGSS RafaelGSS approved these changes

Assignees

@trevnorris trevnorris

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@trevnorris @juanarbol @RafaelGSS @marco-ippolito