From 805e75462022983081f91304b788e01c3011cd85 Mon Sep 17 00:00:00 2001 From: Mario Rodas Date: Wed, 21 Jun 2023 04:20:00 +0000 Subject: [PATCH 1/3] nodejs_16: 16.20.0 -> 16.20.1 The following CVEs are fixed in this release: - CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High) - CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) - CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium) - CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium) - CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium) https://github.com/nodejs/node/releases/tag/v16.20.1 --- pkgs/development/web/nodejs/v16.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/web/nodejs/v16.nix b/pkgs/development/web/nodejs/v16.nix index 8d5c5c1b11b6d..71e853cfb05d3 100644 --- a/pkgs/development/web/nodejs/v16.nix +++ b/pkgs/development/web/nodejs/v16.nix @@ -10,8 +10,8 @@ let in buildNodejs { inherit enableNpm; - version = "16.20.0"; - sha256 = "sha256-4JkPmSI05ApR/hH5LDgWyTp34bCBFF0912LNECY0U0k="; + version = "16.20.1"; + sha256 = "sha256-g+AzgeJx8aVhkYjnrqnYXZt+EvW+KijOt41ySe0it/E="; patches = [ ./disable-darwin-v8-system-instrumentation.patch ./bypass-darwin-xcrun-node16.patch From 75f22e0d83812b4b95e9a83e9fe7025df8c39d98 Mon Sep 17 00:00:00 2001 From: Mario Rodas Date: Wed, 21 Jun 2023 04:20:00 +0000 Subject: [PATCH 2/3] nodejs_18: 18.16.0 -> 18.16.1 The following CVEs are fixed in this release: - CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High) - CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) - CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium) - CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium) - CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium) https://github.com/nodejs/node/releases/tag/v18.16.1 --- pkgs/development/web/nodejs/v18.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/web/nodejs/v18.nix b/pkgs/development/web/nodejs/v18.nix index 44411ea731f42..130545b8d9735 100644 --- a/pkgs/development/web/nodejs/v18.nix +++ b/pkgs/development/web/nodejs/v18.nix @@ -9,8 +9,8 @@ let in buildNodejs { inherit enableNpm; - version = "18.16.0"; - sha256 = "sha256-M9gaIz4jWlCa3aSk8iCQCNBFkZed5rPw9nwckGCT8Rg="; + version = "18.16.1"; + sha256 = "sha256-6EBPjI2J/f336Vu7xgZr0OVxrLpY9USSWZthX77v4nI="; patches = [ ./disable-darwin-v8-system-instrumentation.patch ./bypass-darwin-xcrun-node16.patch From 12bbce3e6c2b298892768d5fb99696b8bbf73ce2 Mon Sep 17 00:00:00 2001 From: Mario Rodas Date: Wed, 21 Jun 2023 04:20:00 +0000 Subject: [PATCH 3/3] nodejs_20: 20.3.0 -> 20.3.1 The following CVEs are fixed in this release: - CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High) - CVE-2023-30584: Path Traversal Bypass in Experimental Permission Model (High) - CVE-2023-30587: Bypass of Experimental Permission Model via Node.js Inspector (High) - CVE-2023-30582: Inadequate Permission Model Allows Unauthorized File Watching (Medium) - CVE-2023-30583: Bypass of Experimental Permission Model via fs.openAsBlob() (Medium) - CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) - CVE-2023-30586: Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium) - CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium) - CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium) - CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium) https://github.com/nodejs/node/releases/tag/v20.3.1 --- pkgs/development/web/nodejs/v20.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/web/nodejs/v20.nix b/pkgs/development/web/nodejs/v20.nix index 2f44c3e26a604..fe7a0b328a9d8 100644 --- a/pkgs/development/web/nodejs/v20.nix +++ b/pkgs/development/web/nodejs/v20.nix @@ -9,8 +9,8 @@ let in buildNodejs { inherit enableNpm; - version = "20.3.0"; - sha256 = "sha256-G6jUlCPtOnVykGa7PqJkk+6ct9ZWjvlIWX/J70VPdDU="; + version = "20.3.1"; + sha256 = "sha256-EqgtswZpeVm0OJs1Gl+XhImGsTE/mQGw4LPYz08/mZE="; patches = [ ./revert-arm64-pointer-auth.patch ./disable-darwin-v8-system-instrumentation-node19.patch