Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Node v20.18.2 nsolid v5.6.1 release #258

Merged
merged 8 commits into from
Jan 22, 2025
Merged

Node v20.18.2 nsolid v5.6.1 release #258

merged 8 commits into from
Jan 22, 2025

Conversation

santigimeno
Copy link
Member

No description provided.

marco-ippolito and others added 8 commits November 20, 2024 15:25
@marco-ippolito
Working on v20.18.2
97291c2 
PR-URL: nodejs/node#55879
@tniessen @RafaelGSS
path: fix path traversal in normalize() on Windows
42d5821 
Without this patch, on Windows, normalizing a relative path might result
in a path that Windows considers absolute. In rare cases, this might
lead to path traversal vulnerabilities in user code.

We attempt to detect those cases and return a relative path instead.

PR-URL: nodejs-private/node-private#555
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2025-23084
@RafaelGSS
src,loader,permission: throw on InternalWorker use
389f239 
Previously this PR it was expected that InternalWorker
usage doesn't require the --allow-worker when the permission
model is enabled. This, however, exposes a vulnerability
whenever the instance gets accessed by the user. For example
through diagnostics_channel.subscribe('worker_threads')

PR-URL: nodejs-private/node-private#652
Refs: https://hackerone.com/reports/2575105
CVE-ID: CVE-2025-23083
@mcollina @RafaelGSS
deps: update undici to v6.21.1
df8b9f2 
Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: nodejs-private/node-private#663
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2025-22150
@RafaelGSS
src: fix HTTP2 mem leak on premature close and ERR_PROTO
8187a4b 
This commit fixes a memory leak when the socket is
suddenly closed by the peer (without GOAWAY notification)
and when invalid header (by nghttp2) is identified and the
connection is terminated by peer.

Refs: https://hackerone.com/reports/2841362
@RafaelGSS
2025-01-21, Version 20.18.2 'Iron' (LTS)
53a57ef 
This is a security release.

Notable changes:

* CVE-2025-23083 - throw on InternalWorker use when permission model is enabled (High)
* CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
* CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)
* CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

PR-URL: nodejs-private/node-private#664
@santigimeno
Merge tag 'v20.18.2' into node-v20.18.2-nsolid-v5.6.1-release
a65a368 
2025-01-21 Node.js v20.18.2 'Iron' (LTS) Release
Git-EVTag-v0-SHA512: 729aec637383271c9ecbcd8a0a07f513040f51b7f9f091aac8e2dd22459088f479ea061ffe94c28002782cfe82a065ebd63c3770d7b4a66d6a68a8002e6344b2
@santigimeno
2025-01-21, Version 20.18.2-nsolid-v5.6.1 'Iron'
ea44d36
@santigimeno santigimeno requested a review from juanarbol January 21, 2025 22:50
@santigimeno santigimeno self-assigned this Jan 21, 2025
juanarbol
juanarbol approved these changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@juanarbol juanarbol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@santigimeno santigimeno merged commit ea44d36 into node-v20.x-nsolid-v5.x Jan 22, 2025
18 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juanarbol juanarbol juanarbol approved these changes

Assignees

@santigimeno santigimeno

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@santigimeno @juanarbol @marco-ippolito @tniessen @RafaelGSS @mcollina