Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nodejs: 16.20.0 -> 16.20.1, 18.16.0 -> 18.16.1, 20.3.0 -> 20.3.1 #238884

Merged
merged 3 commits into from
Jun 21, 2023
Merged

nodejs: 16.20.0 -> 16.20.1, 18.16.0 -> 18.16.1, 20.3.0 -> 20.3.1 #238884

merged 3 commits into from
Jun 21, 2023

Conversation

marsam
Copy link
Contributor

@marsam marsam commented Jun 21, 2023

Description of changes

Security Releases

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@marsam
nodejs_16: 16.20.0 -> 16.20.1
805e754 
The following CVEs are fixed in this release:
- CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
- CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
- CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
- CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
- CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)

https://github.com/nodejs/node/releases/tag/v16.20.1
@marsam
nodejs_18: 18.16.0 -> 18.16.1
75f22e0 
The following CVEs are fixed in this release:
- CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
- CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
- CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
- CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
- CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)

https://github.com/nodejs/node/releases/tag/v18.16.1
@marsam
nodejs_20: 20.3.0 -> 20.3.1
12bbce3 
The following CVEs are fixed in this release:
- CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
- CVE-2023-30584: Path Traversal Bypass in Experimental Permission Model (High)
- CVE-2023-30587: Bypass of Experimental Permission Model via Node.js Inspector (High)
- CVE-2023-30582: Inadequate Permission Model Allows Unauthorized File Watching (Medium)
- CVE-2023-30583: Bypass of Experimental Permission Model via fs.openAsBlob() (Medium)
- CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
- CVE-2023-30586: Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium)
- CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
- CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
- CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)

https://github.com/nodejs/node/releases/tag/v20.3.1
@marsam marsam added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-23.05 labels Jun 21, 2023
@marsam marsam linked an issue Jun 21, 2023 that may be closed by this pull request
Update request: NodeJS June 20th 2023 security patches - 16.20.0 → 16.20.1, 18.16.0 → 18.16.1, 20.3.0 → 20.3.1 #238869
Closed
1 task
@marsam marsam merged commit 9c70578 into NixOS:master Jun 21, 2023
@marsam marsam deleted the update-nodejs branch June 21, 2023 10:24
@github-actions
Copy link
Contributor

Backport failed for release-23.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-23.05
git worktree add -d .worktree/backport-238884-to-release-23.05 origin/release-23.05
cd .worktree/backport-238884-to-release-23.05
git checkout -b backport-238884-to-release-23.05
ancref=$(git merge-base f96d41e499f0a03cfdcce14351c7302238780ef9 12bbce3e6c2b298892768d5fb99696b8bbf73ce2)
git cherry-pick -x $ancref..12bbce3e6c2b298892768d5fb99696b8bbf73ce2

YorikSar added a commit to YorikSar/nixpkgs that referenced this pull request Jun 23, 2023
@YorikSar
nodejs: Add 16.20.1 to permittedInsecurePackages in release.nix
81389b2 
nodejs package has been updated in NixOS#238884
but it wasn't added here, so Hydra doesn't build any packages depending
on it.
@YorikSar YorikSar mentioned this pull request Jun 23, 2023
Closed
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 501-1000 10.rebuild-darwin: 501+ 10.rebuild-linux: 501-1000 10.rebuild-linux: 501+
Projects
None yet
Milestone
No milestone
1 participant
@marsam