This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-30581:
mainModule.__proto__
Bypass Experimental Policy Mechanism (High) - CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
- CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
- CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
- CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
- OpenSSL Security Releases
- c-ares vulnerabilities:
More detailed information on each of the vulnerabilities can be found in June 2023 Security Releases blog post.
Commits
- [
bf3e2c8928
] - crypto: handle cert with invalid SPKI gracefully (Tobias Nießen) nodejs-private/node-private#393 - [
70f9449072
] - deps: setCARES_RANDOM_FILE
for c-ares (Richard Lau) #48156 - [
35d4efb57b
] - deps: update c-ares to 1.19.1 (RafaelGSS) #48115 - [
392dfedc77
] - deps: update archs files for openssl-3.0.9-quic1 (Node.js GitHub Bot) #48402 - [
46cd5fe38b
] - deps: upgrade openssl sources to quictls/openssl-3.0.9-quic1 (Node.js GitHub Bot) #48402 - [
7e3d2d85c2
] - doc,test: clarify behavior of DH generateKeys (Tobias Nießen) nodejs-private/node-private#426 - [
4ff6ba050a
] - http: disable request smuggling via rempty headers (Paolo Insogna) nodejs-private/node-private#428 - [
ab269129a6
] - msi: do not create AppData\Roaming\npm (Tobias Nießen) nodejs-private/node-private#408 - [
925e8f5619
] - policy: handle mainModule.__proto__ bypass (RafaelGSS) nodejs-private/node-private#416 - [
d6fae8e47e
] - test: allow SIGBUS in signal-handler abort test (Michaël Zasso) #47851