PR-URL: #45791

Refs: #45791
PR-URL: #45846
Refs: nodejs/nodejs.org#4972
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

Extend the Linux logic to all POSIX platforms in
test-child-process-exec-abortcontroller-promisified.

PR-URL: #46276
Fixes: nodejs/build#3154
Refs: #37518
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: Ruy Adorno <ruyadorno@google.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

This updates all sources in deps/openssl/openssl by:
    $ git clone https://github.com/quictls/openssl
    $ cd openssl
    $ git checkout OpenSSL_1_1_1t+quic
    $ cd ../node/deps/openssl
    $ rm -rf openssl
    $ cp -R ../openssl openssl
    $ rm -rf openssl/.git* openssl/.travis*
    $ git add --all openssl
    $ git commit openssl

PR-URL: #46568
Refs: https://mta.openssl.org/pipermail/openssl-announce/2023-February/000251.html
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>

After an OpenSSL source update, all the config files need to be
regenerated and committed by:
    $ make -C deps/openssl/config
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl
    $ git commit

PR-URL: #46568
Refs: https://mta.openssl.org/pipermail/openssl-announce/2023-February/000251.html
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>

Original commit message:

    rsa: add msvc intrinsic for non x64 platforms

    _umul128() is x86_64 (x64) only, while __umulh() works everywhere, but
    doesn't generate optimal code on x64

PR-URL: #46568
Refs: openssl/openssl#20244
Refs: https://mta.openssl.org/pipermail/openssl-announce/2023-February/000251.html
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>

Backport-PR-URL: nodejs-private/node-private#378
CVE-ID: CVE-2023-23920
PR-URL: nodejs-private/node-private#374
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1625036
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>

Prior to this commit, functions accessing the OpenSSL error queue did
not work properly after x509.verify() returned false.

Backport-PR-URL: nodejs-private/node-private#375
CVE-ID: CVE-2023-23919
PR-URL: #45377
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1808596
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>

Backport-PR-URL: nodejs-private/node-private#375
CVE-ID: CVE-2023-23919
Fixes: #45485
PR-URL: #45495
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1808596
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
CVE-ID: CVE-2023-23919
PR-URL: nodejs-private/node-private#375
Refs: https://hackerone.com/bugs?report_id=1808596
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Richard Lau <rlau@redhat.com>

Signed-off-by: Matteo Collina <hello@matteocollina.com>
CVE-ID: CVE-2023-23936, CVE-2023-24807
PR-URL: nodejs-private/node-private#388
Refs: GHSA-5r9g-qh6m-jxff
Refs: GHSA-r6ch-mqf9-qc9w
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1820955
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1784449
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>

Co-authored-by: Bradley Farias <bradley.meck@gmail.com>
Backport-PR-URL: nodejs-private/node-private#372
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1747642
CVE-ID: CVE-2023-23918
PR-URL: nodejs-private/node-private#358
Reviewed-by: Bradley Farias <bradley.meck@gmail.com>
Reviewed-by: Michael Dawson <midawson@redhat.com>

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
Backport-PR-URL: nodejs-private/node-private#372
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1747642
CVE-ID: CVE-2023-23918
PR-URL: nodejs-private/node-private#358
Reviewed-by: Bradley Farias <bradley.meck@gmail.com>
Reviewed-by: Michael Dawson <midawson@redhat.com>

This is a security release.

Notable changes:

The following CVEs are fixed in this release:

- CVE-2023-23918: Node.js Permissions policies can be bypassed via
  process.mainModule (High)
- CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs
  crypto library (Medium)
- CVE-2023-23936: Fetch API in Node.js did not protect against CRLF
  injection in host headers (Medium)
- CVE-2023-24807: Regular Expression Denial of Service in Headers in
  Node.js fetch API (Low)
- CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA
  environment variable (Low)

Fixed by an update to undici:

- CVE-2023-23936: Fetch API in Node.js did not protect against CRLF
  injection in host headers (Medium)
  See GHSA-5r9g-qh6m-jxff
  for more information.
- CVE-2023-24807: Regular Expression Denial of Service in Headers in
  Node.js fetch API (Low)
  See GHSA-r6ch-mqf9-qc9w
  for more information.

- OpenSSL 1.1.1t

PR-URL: nodejs-private/node-private#390