v18.19.1 #4
Merged
v18.19.1 #4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PR-URL: nodejs#50953
SYS_capget with _LINUX_CAPABILITY_VERSION_3 returns the process's permitted capabilities as two 32-bit values. To determine if the only permitted capability is indeed CAP_NET_BIND_SERVICE, it is necessary to check both of those values. Not doing so creates a vulnerability that potentially allows unprivileged users to inject code into a privileged Node.js process through environment variables such as NODE_OPTIONS. PR-URL: nodejs-private/node-private#505 Reviewed-By: Rafael Gonzaga <[email protected]> CVE-ID: CVE-2024-21892
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2269177 Disable RSA_PKCS1_PADDING for crypto.privateDecrypt() in order to protect against the Marvin attack. Includes a security revert flag that can be used to restore support. Signed-off-by: Michael Dawson <[email protected]> PR-URL: nodejs-private/node-private#525 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Matteo Collina <[email protected]> CVE-ID: CVE-2023-46809
Signed-off-by: Matteo Collina <[email protected]> PR-URL: nodejs-private/node-private#536 CVE-ID: CVE-2024-24758
Signed-off-by: Matteo Collina <[email protected]> PR-URL: nodejs-private/node-private#540 Reviewed-By: Robert Nagy <[email protected]> Ref: https://hackerone.com/reports/2284065 PR-URL: nodejs-private/node-private#542 CVE-ID: CVE-2024-22025
As a part of the new signing requrements for Windows change approach to use the DigiCert cloud HSM service KeyLocker. PR-URL: nodejs#50956 Fixes: nodejs/build#3491 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
This is the certdata.txt[0] from NSS 3.95, released on 2023-11-16. This is the version of NSS that will ship in Firefox 121 on 2023-12-19. Certificates added: - TrustAsia Global Root CA G3 - TrustAsia Global Root CA G4 - CommScope Public Trust ECC Root-01 - CommScope Public Trust ECC Root-02 - CommScope Public Trust RSA Root-01 - CommScope Public Trust RSA Root-02 Certificates removed: - Autoridad de Certificacion Firmaprofesional CIF A62634068 [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_95_RTM/lib/ckfw/builtins/certdata.txt PR-URL: nodejs#50805 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]>
PR-URL: nodejs#50751 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]>
It is flaky due to the same cause of test-child-process-pipe-dataflow being flaky - cygwin quirks - so skip it on Windows too. Drive-by: remove the skip mark of test-child-process-pipe-dataflow in the status file and directly skip it in the test with a comment. PR-URL: nodejs#49621 Backport-PR-URL: nodejs#51132 Co-authored-by: Artur Yapparov <[email protected]> Reviewed-By: Debadree Chatterjee <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: LiviaMedeiros <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Moshe Atlow <[email protected]>
PR-URL: nodejs#50390 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]>
PR-URL: nodejs#50389 Fixes: nodejs/build#3529 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]>
PR-URL: nodejs#50625 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: nodejs#50622 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Zeyu "Alex" Yang <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
PR-URL: nodejs#50715 Reviewed-By: Michael Dawson <[email protected]>
PR-URL: nodejs#50833 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
PR-URL: nodejs#51614 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
PR-URL: nodejs#51614 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs#50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525 deps: * upgrade npm to 10.2.4 (npm team) nodejs#50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs#51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs#51614 http: * add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#520 lib: * update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs#49621 tools: * add macOS notarization verification step (Ulises Gascón) nodejs#50833 * use macOS keychain to notarize the releases (Ulises Gascón) nodejs#50715 * remove unused file (Ulises Gascon) nodejs#50622 * add macOS notarization stapler (Ulises Gascón) nodejs#50625 * improve macOS notarization process output readability (Ulises Gascón) nodejs#50389 * remove unused `version` function (Ulises Gascón) nodejs#50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs#50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#542 PR-URL: nodejs-private/node-private#545
|
just to make it a little more legible to future readers, we noticed we actually merged the parent of the commit we wanted, so we added a second merge commit to merge in 6610cc4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merging in commit from nodejs@3d27175 to our fork of v18