This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-32002: Policies can be bypassed via Module._load (High)
- CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
- CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
- OpenSSL Security Releases
More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.
Commits
- [
40c3958a5a] - deps: update archs files for OpenSSL-1.1.1v (RafaelGSS) #49043 - [
a9ac9da89a] - deps: fix openssl crypto clean (RafaelGSS) #49043 - [
362d4c7494] - deps: upgrade openssl sources to OpenSSL_1_1_1v (RafaelGSS) #49043 - [
d8ccfe9ad4] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#445 - [
242aaa0caa] - policy: disable process.binding() when enabled (Tobias Nießen) nodejs-private/node-private#459