Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nodejs/node
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v16.20.1
Choose a base ref
...
head repository: nodejs/node
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v16.20.2
Choose a head ref
  • 7 commits
  • 15,322 files changed
  • 2 contributors

Commits on Jun 20, 2023

  1. Working on v16.20.2 

    PR-URL: nodejs-private/node-private#432
    @RafaelGSS
    RafaelGSS committed Jun 20, 2023
    Copy the full SHA
    7447de2 View commit details

Commits on Aug 8, 2023

  1. deps: upgrade openssl sources to OpenSSL_1_1_1v 

    This updates all sources in deps/openssl/openssl by:
    $ git clone https://github.com/quictls/openssl
    $ cd openssl
    $ git checkout OpenSSL_1_1_1v+quic
    $ cd ../node/deps/openssl
    $ rm -rf openssl
    $ cp -R ../openssl openssl
    $ rm -rf openssl/.git* openssl/.travis*
    $ git add --all openssl
    $ git commit openssl

PR-URL: #49043
    @RafaelGSS
    RafaelGSS committed Aug 8, 2023
    Copy the full SHA
    362d4c7 View commit details

  2. deps: fix openssl crypto clean 

    PR-URL: #49043
    @RafaelGSS
    RafaelGSS committed Aug 8, 2023
    Copy the full SHA
    a9ac9da View commit details

  3. deps: update archs files for OpenSSL-1.1.1v 

     After an OpenSSL source update, all the config files need to be
 regenerated and committed by:
    $ make -C deps/openssl/config
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl/include/crypto/bn_conf.h
    $ git add deps/openssl/openssl/include/crypto/dso_conf.h
    $ git add deps/openssl/openssl/include/openssl/opensslconf.h
    $ git commit

PR-URL: #49043
    @RafaelGSS
    RafaelGSS committed Aug 8, 2023
    Copy the full SHA
    40c3958 View commit details

  4. policy: disable process.binding() when enabled 

    process.binding() can be used to trivially bypass restrictions imposed
through a policy. Since the function is deprecated already, simply
replace it with a stub when a policy is being enabled.

Fixes: https://hackerone.com/bugs?report_id=1946470
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2023-32559
PR-URL: nodejs-private/node-private#459
    @tniessen @RafaelGSS
    tniessen authored and RafaelGSS committed Aug 8, 2023
    Copy the full SHA
    242aaa0 View commit details

  5. policy: handle Module.constructor and main.extensions bypass 

    Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: nodejs-private/node-private#445
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1960870
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2043807
CVE-ID: CVE-2023-32002,CVE-2023-32006
    @RafaelGSS
    RafaelGSS committed Aug 8, 2023
    Copy the full SHA
    d8ccfe9 View commit details

  6. 2023-08-09, Version 16.20.2 'Gallium' (LTS) 

    This is a security release.

Notable changes:

Following CVEs are fixed in this release:

* CVE-2023-32002: Policies can be bypassed via Module._load (High)
* CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
* CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
* OpenSSL Security Releases
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html

PR-URL: nodejs-private/node-private#458
    @RafaelGSS
    RafaelGSS committed Aug 8, 2023
    Copy the full SHA
    dadbde9 View commit details
Loading