Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update Node to April 2024 security release #3229

Closed
gioccher opened this issue Apr 4, 2024 · 1 comment
Closed

Update Node to April 2024 security release #3229

gioccher opened this issue Apr 4, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@gioccher
Copy link

gioccher commented Apr 4, 2024

The version of Node 20 included in the runner is several security releases behind.
Current: 20.8.1 (August 2023)
Latest: 20.12.1 (April 2024)

Here are the announcements of each Node security release:
https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/

and the list of fixed CVEs:

undici - Cookie headers are not cleared in cross-domain redirect in undici-fetch (Low) - (CVE-2023-45143)
nghttp2 - HTTP/2 Rapid Reset (High) - (CVE-2023-44487)
Permission model improperly protects against path traversal (High) - (CVE-2023-39331)
Path traversal through path stored in Uint8Array (High) - (CVE-2023-39332)
Integrity checks according to policies can be circumvented (Medium) - (CVE-2023-38552)
Code injection via WebAssembly export names (Low) - (CVE-2023-39333)
OpenSSL Security updates
Code injection and privilege escalation through Linux capabilities (CVE-2024-21892) - (High)
Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019) - (High)
Path traversal by monkey-patching Buffer internals (CVE-2024-21896) - (High)
setuid() does not drop all privileges due to io_uring (CVE-2024-22017) - (High)
Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) (CVE-2023-46809) - (Medium)
Multiple permission model bypasses due to improper path traversal sequence sanitization (CVE-2024-21891) - (Medium)
Improper handling of wildcards in --allow-fs-read and --allow-fs-write (CVE-2024-21890) - (Medium)
Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash (CVE-2024-27983) - (High)
HTTP Request Smuggling via Content Length Obfuscation - (CVE-2024-27982) - (Medium)
@gioccher gioccher added the bug Something isn't working label Apr 4, 2024
@gioccher
Copy link
Author

One more security release got published in the meantime:

Latest: Node v20.12.2 (LTS) (April 2024)
Announcement: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2
Fixes:

Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980) - (HIGH)

@pje pje mentioned this issue May 13, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gioccher @ruvceskistefan