This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-32002: Policies can be bypassed via Module._load (High)
- CVE-2023-32558: process.binding() can bypass the permission model through path traversal (High)
- CVE-2023-32004: Permission model can be bypassed by specifying a path traversal sequence in a Buffer (High)
- CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
- CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
- CVE-2023-32005: fs.statfs can bypass the permission model (Low)
- CVE-2023-32003: fs.mkdtemp() and fs.mkdtempSync() can bypass the permission model (Low)
- OpenSSL Security Releases
More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.
Commits
- [
92300b51b4] - deps: update archs files for openssl-3.0.10+quic1 (Node.js GitHub Bot) #49036 - [
559698abf2] - deps: upgrade openssl sources to quictls/openssl-3.0.10+quic1 (Node.js GitHub Bot) #49036 - [
1bf3429e8e] - lib,permission: restrict process.binding when pm is enabled (RafaelGSS) nodejs-private/node-private#438 - [
98a83a67e6] - permission: ensure to resolve path when calling mkdtemp (RafaelGSS) nodejs-private/node-private#464 - [
1f0cde466b] - permission: handle buffer path on fs calls (RafaelGSS) nodejs-private/node-private#439 - [
bd094d60ea] - permission: handle fstatfs and add pm supported list (RafaelGSS) nodejs-private/node-private#441 - [
7337d21484] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#417 - [
cf348ec640] - policy: disable process.binding() when enabled (Tobias Nießen) nodejs-private/node-private#397