Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a new pull request by comparing changes across two branches #969

Merged
merged 15 commits into from
Feb 15, 2024
Merged

Create a new pull request by comparing changes across two branches #969

merged 15 commits into from
Feb 15, 2024

Conversation

GulajavaMinistudio
Copy link

No description provided.

zcbenz and others added 15 commits February 12, 2024 10:39
@zcbenz
doc: document the GN build
544cfc5 
PR-URL: #51676
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Joyee Cheung <[email protected]>
Reviewed-By: Debadree Chatterjee <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
@Semigradsky
doc: updates for better json generating
bf39716 
PR-URL: #51592
Reviewed-By: Chemi Atlow <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
@marco-ippolito @RafaelGSS
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
2a5a150 
This is a security release.

Notable changes:

crypto:
  * update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805
  * disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
deps:
  * upgrade npm to 10.2.4 (npm team) #50751
  * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
  * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com//pull/51614
  * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #51614
http:
  * add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#520
lib:
  * update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#536
src:
  * fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
test:
  * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) #49621
tools:
  * add macOS notarization verification step (Ulises Gascón) #50833
  * use macOS keychain to notarize the releases (Ulises Gascón) #50715
  * remove unused file (Ulises Gascon) #50622
  * add macOS notarization stapler (Ulises Gascón) #50625
  * improve macOS notarization process output readability (Ulises Gascón) #50389
  * remove unused `version` function (Ulises Gascón) #50390
win,tools:
  * upgrade Windows signing to smctl (Stefan Stojanovic) #50956
zlib:
  * pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#542

PR-URL: nodejs-private/node-private#545
@marco-ippolito @RafaelGSS
2024-02-14, Version 20.11.1 'Iron' (LTS)
5405aa5 
This is a security release.

Notable changes:

crypto:
  * disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
deps:
  * upgrade libuv to 1.48.0 (Santiago Gimeno) #51699
  * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
  * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
  * disable io\_uring support in libuv by default (Tobias Nießen) nodejs-private/node-private#529
  * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #51737
fs:
  * protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) nodejs-private/node-private#49
http:
  * add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#519
lib:
  * update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#539
  * use cache fs internals against path traversal (RafaelGSS) nodejs-private/node-private#516
src:
  * fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
src,deps:
  * disable setuid() etc if io\_uring enabled (Tobias Nießen) nodejs-private/node-private#529
test,doc:
  * clarify wildcard usage (RafaelGSS) nodejs-private/node-private#517
zlib:
  * pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#541

PR-URL: nodejs-private/node-private#544
@RafaelGSS
2024-02-14, Version 21.6.2 (Current)
b43171c 
This is a security release.

Notable changes:

crypto:
  * disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
deps:
  * upgrade libuv to 1.48.0 (Santiago Gimeno) #51698
  * disable io_uring support in libuv by default (Tobias Nießen) nodejs-private/node-private#528
fs:
  * protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) nodejs-private/node-private#497
http:
  * add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#518
lib:
  * update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#538
  * use cache fs internals against path traversal (RafaelGSS) nodejs-private/node-private#516
src:
  * fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
src,deps:
  * disable setuid() etc if io_uring enabled (Tobias Nießen) nodejs-private/node-private#528
test,doc:
  * clarify wildcard usage (RafaelGSS) nodejs-private/node-private#517
zlib:
  * pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#540

PR-URL: nodejs-private/node-private#543
@mhdawson @RafaelGSS
crypto: disable PKCS#1 padding for privateDecrypt
54cd268 
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2269177

Disable RSA_PKCS1_PADDING for crypto.privateDecrypt() in order
to protect against the Marvin attack.

Includes a security revert flag that can be used to restore
support.

Signed-off-by: Michael Dawson <[email protected]>
PR-URL: nodejs-private/node-private#525
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2269177
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2023-46809
@tniessen @RafaelGSS
fs: protect against modified Buffer internals in possiblyTransformPath
46ce278 
Use encodeUtf8String from the encoding_binding internal binding to
convert the result of path.resolve() to a Uint8Array instead of using
Buffer.from(), whose result can be manipulated by the user by
monkey-patching internals such as Buffer.prototype.utf8Write.

HackerOne report: https://hackerone.com/reports/2218653

PR-URL: nodejs-private/node-private#497
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2024-21896
@tniessen @RafaelGSS
src: fix HasOnly(capability) in node::credentials
10ecf40 
SYS_capget with _LINUX_CAPABILITY_VERSION_3 returns the process's
permitted capabilities as two 32-bit values. To determine if the only
permitted capability is indeed CAP_NET_BIND_SERVICE, it is necessary to
check both of those values.

Not doing so creates a vulnerability that potentially allows
unprivileged users to inject code into a privileged Node.js process
through environment variables such as NODE_OPTIONS.

PR-URL: nodejs-private/node-private#505
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2024-21892
@RafaelGSS
test,doc: clarify wildcard usage
834ae37 
Follow-up: #51209
PR-URL: nodejs-private/node-private#517
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=2257156
CVE-ID: CVE-2024-21890
@ShogunPanda @RafaelGSS
http: add maximum chunk extension size
03a5c34 
PR-URL: nodejs-private/node-private#518
Fixes: https://hackerone.com/reports/2233486
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2024-22019
@tniessen @RafaelGSS
deps: disable io_uring support in libuv by default
42e659c 
setuid() does not affect libuv's internal io_uring operations if
initialized before the call to setuid(). This potentially allows the
process to perform privileged operations despite presumably having
dropped such privileges through a call to setuid(). Similar concerns
apply to other functions that modify the process's user identity.

This commit changes libuv's io_uring behavior from opt-out (through
UV_USE_IO_URING=0) to opt-in (through UV_USE_IO_URING=1) until we figure
out a better long-term solution.

PR-URL: nodejs-private/node-private#528
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2024-22017
@tniessen @RafaelGSS
src,deps: disable setuid() etc if io_uring enabled
6d14352 
Within Node.js, attempt to determine if libuv is using io_uring. If it
is, disable process.setuid() and other user identity setters.

We cannot fully prevent users from changing the process's user identity,
but this should still prevent some accidental, dangerous scenarios.

PR-URL: nodejs-private/node-private#528
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2024-22017
@mcollina @RafaelGSS
zlib: pause stream if outgoing buffer is full
9052ef4 
Signed-off-by: Matteo Collina <[email protected]>
PR-URL: nodejs-private/node-private#540
Reviewed-By: Robert Nagy <[email protected]>
Ref: https://hackerone.com/reports/2284065
CVE-ID: CVE-2024-22025
@RafaelGSS
lib: use cache fs internals against path traversal
e9f395e 
PR-URL: nodejs-private/node-private#516
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=2259914
Reviewed-By: Moshe Atlow <[email protected]>
CVE-ID: CVE-2024-21891
@santigimeno @RafaelGSS
deps: upgrade libuv to 1.48.0
36dcd39 
PR-URL: #51697
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Debadree Chatterjee <[email protected]>
@GulajavaMinistudio GulajavaMinistudio merged commit 414da35 into javascript-indonesias:master Feb 15, 2024
19 of 21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@GulajavaMinistudio @zcbenz @Semigradsky @marco-ippolito @RafaelGSS @mhdawson @tniessen @ShogunPanda @mcollina @santigimeno