Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Node to April 2024 security release #3229

Open
gioccher opened this issue Apr 4, 2024 · 1 comment
Open

Update Node to April 2024 security release #3229

gioccher opened this issue Apr 4, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@gioccher
Copy link

gioccher commented Apr 4, 2024

The version of Node 20 included in the runner is several security releases behind.
Current: 20.8.1 (August 2023)
Latest: 20.12.1 (April 2024)

Here are the announcements of each Node security release:
https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/

and the list of fixed CVEs:

undici - Cookie headers are not cleared in cross-domain redirect in undici-fetch (Low) - (CVE-2023-45143)
nghttp2 - HTTP/2 Rapid Reset (High) - (CVE-2023-44487)
Permission model improperly protects against path traversal (High) - (CVE-2023-39331)
Path traversal through path stored in Uint8Array (High) - (CVE-2023-39332)
Integrity checks according to policies can be circumvented (Medium) - (CVE-2023-38552)
Code injection via WebAssembly export names (Low) - (CVE-2023-39333)
OpenSSL Security updates
Code injection and privilege escalation through Linux capabilities (CVE-2024-21892) - (High)
Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019) - (High)
Path traversal by monkey-patching Buffer internals (CVE-2024-21896) - (High)
setuid() does not drop all privileges due to io_uring (CVE-2024-22017) - (High)
Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) (CVE-2023-46809) - (Medium)
Multiple permission model bypasses due to improper path traversal sequence sanitization (CVE-2024-21891) - (Medium)
Improper handling of wildcards in --allow-fs-read and --allow-fs-write (CVE-2024-21890) - (Medium)
Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash (CVE-2024-27983) - (High)
HTTP Request Smuggling via Content Length Obfuscation - (CVE-2024-27982) - (Medium)
@gioccher gioccher added the bug Something isn't working label Apr 4, 2024
@gioccher
Copy link
Author

One more security release got published in the meantime:

Latest: Node v20.12.2 (LTS) (April 2024)
Announcement: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2
Fixes:

Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980) - (HIGH)

@pje pje mentioned this issue May 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gioccher