This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-30581:
mainModule.__proto__Bypass Experimental Policy Mechanism (High) - CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
- CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
- CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
- CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
- OpenSSL Security Releases
- c-ares vulnerabilities:
More detailed information on each of the vulnerabilities can be found in June 2023 Security Releases blog post.
Commits
- [
5a92ea7a3b] - crypto: handle cert with invalid SPKI gracefully (Tobias Nießen) - [
5df04e893a] - deps: setCARES_RANDOM_FILEfor c-ares (Richard Lau) #48156 - [
c171cbd124] - deps: update c-ares to 1.19.1 (RafaelGSS) #48115 - [
155d3aac02] - deps: update archs files for OpenSSL-1.1.1u+quic (RafaelGSS) #48369 - [
8d4c8f8ebe] - deps: upgrade openssl sources to OpenSSL_1_1_1u (RafaelGSS) #48369 - [
1a5c9284eb] - doc,test: clarify behavior of DH generateKeys (Tobias Nießen) nodejs-private/node-private#426 - [
e42ff4b018] - http: disable request smuggling via empty headers (Paolo Insogna) nodejs-private/node-private#429 - [
10042683c8] - msi: do not create AppData\Roaming\npm (Tobias Nießen) nodejs-private/node-private#408 - [
a6f4e87bc9] - policy: handle mainModule.__proto__ bypass (RafaelGSS) nodejs-private/node-private#416 - [
b77000f4d7] - test: allow SIGBUS in signal-handler abort test (Michaël Zasso) #47851