From f7542cbb11804d6c905a3b65d329ff63f5795678 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 8 Jul 2024 15:23:09 -0300 Subject: [PATCH 1/4] Blog: v22.4.1 release post Refs: https://github.com/nodejs-private/node-private/pull/617 --- apps/site/pages/en/blog/release/v22.4.1.md | 52 ++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 apps/site/pages/en/blog/release/v22.4.1.md diff --git a/apps/site/pages/en/blog/release/v22.4.1.md b/apps/site/pages/en/blog/release/v22.4.1.md new file mode 100644 index 0000000000000..bf2caa2e71cd5 --- /dev/null +++ b/apps/site/pages/en/blog/release/v22.4.1.md @@ -0,0 +1,52 @@ +--- +date: '2024-07-08T18:17:04.165Z' +category: release +title: Node v22.4.1 (Current) +layout: blog-post +author: Rafael Gonzaga +--- + +## 2024-07-08, Version 22.4.1 (Current), @RafaelGSS + +This is a security release. + +### Notable Changes + +- CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High) +- CVE-2024-22020 - Bypass network import restriction via data URL (Medium) +- CVE-2024-22018 - fs.lstat bypasses permission model (Low) +- CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low) +- CVE-2024-37372 - Permission model improperly processes UNC paths (Low) + +### Commits + +- \[[`110902ff5e`](https://github.com/nodejs/node/commit/110902ff5e)] - **lib,esm**: handle bypass network-import via data: (RafaelGSS) [nodejs-private/node-private#522](https://github.com/nodejs-private/node-private/pull/522) +- \[[`0a0de3d491`](https://github.com/nodejs/node/commit/0a0de3d491)] - **lib,permission**: support fs.lstat (RafaelGSS) +- \[[`93574335ff`](https://github.com/nodejs/node/commit/93574335ff)] - **lib,permission**: disable fchmod/fchown when pm enabled (RafaelGSS) [nodejs-private/node-private#584](https://github.com/nodejs-private/node-private/pull/584) +- \[[`09899e6302`](https://github.com/nodejs/node/commit/09899e6302)] - **src**: handle permissive extension on cmd check (RafaelGSS) [nodejs-private/node-private#596](https://github.com/nodejs-private/node-private/pull/596) +- \[[`5d9c811634`](https://github.com/nodejs/node/commit/5d9c811634)] - **src,permission**: fix UNC path resolution (RafaelGSS) [nodejs-private/node-private#581](https://github.com/nodejs-private/node-private/pull/581) + +Windows 32-bit Installer: https://nodejs.org/dist/v22.4.1/node-v22.4.1-x86.msi \ +Windows 64-bit Installer: https://nodejs.org/dist/v22.4.1/node-v22.4.1-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v22.4.1/node-v22.4.1-arm64.msi \ +Windows 32-bit Binary: https://nodejs.org/dist/v22.4.1/win-x86/node.exe \ +Windows 64-bit Binary: https://nodejs.org/dist/v22.4.1/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v22.4.1/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v22.4.1/node-v22.4.1.pkg \ +macOS Apple Silicon 64-bit Binary: _Coming soon_ \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v22.4.1/node-v22.4.1-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v22.4.1/node-v22.4.1-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v22.4.1/node-v22.4.1-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v22.4.1/node-v22.4.1-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v22.4.1/node-v22.4.1-aix-ppc64.tar.gz \ +ARMv7 32-bit Binary: https://nodejs.org/dist/v22.4.1/node-v22.4.1-linux-armv7l.tar.xz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v22.4.1/node-v22.4.1-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v22.4.1/node-v22.4.1.tar.gz \ +Other release files: https://nodejs.org/dist/v22.4.1/ \ +Documentation: https://nodejs.org/docs/v22.4.1/api/ + +### SHASUMS + +``` +[INSERT SHASUMS HERE] +``` From 144b3af5a7c1f949f8f80d62339bf6054a9e7b22 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 8 Jul 2024 15:23:40 -0300 Subject: [PATCH 2/4] Blog: v20.15.1 release post Refs: https://github.com/nodejs-private/node-private/pull/608 --- apps/site/pages/en/blog/release/v20.15.1.md | 110 ++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 apps/site/pages/en/blog/release/v20.15.1.md diff --git a/apps/site/pages/en/blog/release/v20.15.1.md b/apps/site/pages/en/blog/release/v20.15.1.md new file mode 100644 index 0000000000000..d21c6ebd9f37d --- /dev/null +++ b/apps/site/pages/en/blog/release/v20.15.1.md @@ -0,0 +1,110 @@ +--- +date: '2024-07-08T18:16:32.440Z' +category: release +title: Node v20.15.1 (LTS) +layout: blog-post +author: Rafael Gonzaga +--- + +## 2024-07-08, Version 20.15.1 'Iron' (LTS), @RafaelGSS + +This is a security release. + +### Notable Changes + +- CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High) +- CVE-2024-22020 - Bypass network import restriction via data URL (Medium) +- CVE-2024-22018 - fs.lstat bypasses permission model (Low) +- CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low) +- CVE-2024-37372 - Permission model improperly processes UNC paths (Low) + +### Commits + +- \[[`60e184a6e4`](https://github.com/nodejs/node/commit/60e184a6e4)] - **lib,esm**: handle bypass network-import via data: (RafaelGSS) [nodejs-private/node-private#522](https://github.com/nodejs-private/node-private/pull/522) +- \[[`025cbd6936`](https://github.com/nodejs/node/commit/025cbd6936)] - **lib,permission**: support fs.lstat (RafaelGSS) [nodejs-private/node-private#486](https://github.com/nodejs-private/node-private/pull/486) +- \[[`d38ea17341`](https://github.com/nodejs/node/commit/d38ea17341)] - **lib,permission**: disable fchmod/fchown when pm enabled (RafaelGSS) [nodejs-private/node-private#584](https://github.com/nodejs-private/node-private/pull/584) +- \[[`1ba624cd3b`](https://github.com/nodejs/node/commit/1ba624cd3b)] - **src**: handle permissive extension on cmd check (RafaelGSS) [nodejs-private/node-private#596](https://github.com/nodejs-private/node-private/pull/596) +- \[[`2524d00c3d`](https://github.com/nodejs/node/commit/2524d00c3d)] - **src,permission**: fix UNC path resolution (RafaelGSS) [nodejs-private/node-private#581](https://github.com/nodejs-private/node-private/pull/581) +- \[[`484cb0f13c`](https://github.com/nodejs/node/commit/484cb0f13c)] - **src,permission**: resolve path on fs_permission (Rafael Gonzaga) [#52761](https://github.com/nodejs/node/pull/52761) + +Windows 32-bit Installer: https://nodejs.org/dist/v20.15.1/node-v20.15.1-x86.msi \ +Windows 64-bit Installer: https://nodejs.org/dist/v20.15.1/node-v20.15.1-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v20.15.1/node-v20.15.1-arm64.msi \ +Windows 32-bit Binary: https://nodejs.org/dist/v20.15.1/win-x86/node.exe \ +Windows 64-bit Binary: https://nodejs.org/dist/v20.15.1/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v20.15.1/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v20.15.1/node-v20.15.1.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v20.15.1/node-v20.15.1-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v20.15.1/node-v20.15.1-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v20.15.1/node-v20.15.1-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v20.15.1/node-v20.15.1-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v20.15.1/node-v20.15.1-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v20.15.1/node-v20.15.1-aix-ppc64.tar.gz \ +ARMv7 32-bit Binary: _Coming soon_ \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v20.15.1/node-v20.15.1-linux-arm64.tar.xz \ +Source Code: _Coming soon_ \ +Other release files: https://nodejs.org/dist/v20.15.1/ \ +Documentation: https://nodejs.org/docs/v20.15.1/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +dd24c8b6fdaf46361e130c894fd7282266f944b54196636e6df583fdec1e836f node-v20.15.1-aix-ppc64.tar.gz +9cbfc9d496427893505f8cb81aa4c1554fe449881cb4a6c5410e494c5fc36674 node-v20.15.1-arm64.msi +4743bc042f90ba5d9edf09403207290a9cdd2f6061bdccf7caaa0bbfd49f343e node-v20.15.1-darwin-arm64.tar.gz +106ad5288f1da94bf25cf9fba4a070b442e3213e25ce8af3ad35bf6e266213f6 node-v20.15.1-darwin-arm64.tar.xz +f5379772ffae1404cfd1fcc8cf0c6c5971306b8fb2090d348019047306de39dc node-v20.15.1-darwin-x64.tar.gz +34ad01b42025f72d486f9775a2f170913ad6b9fe2d4ceb67746a08de0e475b88 node-v20.15.1-darwin-x64.tar.xz +8c2305c6df5d14525e0711f0da38295600987df4c2710c738c01400862a176b4 node-v20.15.1-headers.tar.gz +d6e4f101f8734f96be558ad4b84a35a81f33decc050a7d2d8e5b39573b79bdf8 node-v20.15.1-headers.tar.xz +8554c91ccd32782351035d3a9b168ad01c6922480800a21870fc5d6d86c2bb70 node-v20.15.1-linux-arm64.tar.gz +10d47a46ef208b3e4b226e4d595a82659123b22397ed77b7975d989114ec317e node-v20.15.1-linux-arm64.tar.xz +2c16717da7d2d7b00f6af146cdf436a0297cbcee52c85b754e4c9ed7cee34b51 node-v20.15.1-linux-armv7l.tar.gz +7bc120efdd8018f6915471b963d9b80adf4ed406d6dc9edb4ae944b85f505c4c node-v20.15.1-linux-armv7l.tar.xz +b91df4971b428f9cb2fbe427c919ad382c4cd206a85e5c918c60c15f1e3d2e32 node-v20.15.1-linux-ppc64le.tar.gz +b33e684802251397ad62ad3f8a1836267ee8b7723f87f669470018ad0035287b node-v20.15.1-linux-ppc64le.tar.xz +393f511b5623c8a872e58203914a54bc7e086b8ca870d34833766d4f9c4e2448 node-v20.15.1-linux-s390x.tar.gz +e2c36cdccc8a7c1000a349dd6fea8b0ce39884eae7b3dd1950d0105120f20848 node-v20.15.1-linux-s390x.tar.xz +a9db028c0a1c63e3aa0d97de24b0966bc507d8239b3aedc4e752eea6b0580665 node-v20.15.1-linux-x64.tar.gz +26700f8d3e78112ad4a2618a9c8e2816e38a49ecf0213ece80e54c38cb02563f node-v20.15.1-linux-x64.tar.xz +4f437463e708c4c7faaa436bed46c3ea814ec3796cfe1e02515ab21d2038b4b1 node-v20.15.1-win-arm64.7z +6cc4f9ca826f5b3e0c555d156bc6adcc371bd96c2874ee748d0f97e2938d3c2b node-v20.15.1-win-arm64.zip +5dbaf27053a0566395f81ebe9e4660141de1bc7b0fe80583447bb36804643f75 node-v20.15.1-win-x64.7z +ba6c3711e2c3d0638c5f7cea3c234553808a73c52a5962a6cdb47b5210b70b04 node-v20.15.1-win-x64.zip +2281b04df475efa64ef483529fc9cad1715d42d5766e68541b64970297247692 node-v20.15.1-win-x86.7z +9a08021e4bcc4694bc72d00ce1ce0686e6de6a9a855678239625f96b09c70b07 node-v20.15.1-win-x86.zip +b139ba1b82807918af40fbed49a5b529f67ba198e87bcabdac907b734ff83ab5 node-v20.15.1-x64.msi +6079df4ab0d457180b4b730fab76d0b60b14342d797cc10a4f2d7c8b61fba584 node-v20.15.1-x86.msi +93b9549a65d459cc2e035c0d583101f827607f43376b5f23a3a2a900f5467321 node-v20.15.1.pkg +da228a0c27922f02001d9a781793696432096ab2da658eb77d7fc21693f4c5cb node-v20.15.1.tar.gz +fdd53a5729d936691a2a1151046fb4897721cb8b0fca2af957823a9b40fe0c34 node-v20.15.1.tar.xz +8e3f84e8ec7e41f98a048eb0c1365cfe54426a556ead98c4803df45d29e0335d win-arm64/node.exe +a4f01329c1c211082ac3ed387ff6651530040bbf7250ec419ce8f95b10d7804a win-arm64/node.lib +493292505fd7a156b1e7b46c7f05001a0684fba6f734f83abfcf7fed88625453 win-arm64/node_pdb.7z +88d4af538deadf8fa2638df84a76bd7dd26f0aeac8dc584f213da736f322377c win-arm64/node_pdb.zip +229fb64aeb10d3cc18eaaa2f5a4c3f1c81792dd3647c5c4350e142db528d0f89 win-x64/node.exe +87056190b7cd06f40058f8e059efd328cdcc7600b825afa102c0aa5039865af5 win-x64/node.lib +bb2198b381bb5d7bc08e2cdda3db911996e310b944b05cb8c7c271a5a7ab0901 win-x64/node_pdb.7z +316ee3fbbe976981e8ee0b81204aece9d3c2337c83f1644d90bb552c3068ca44 win-x64/node_pdb.zip +6e7f3cbb46569a58babe99de2df8a69e98ad613674d4fed71b1dca866e1a72e8 win-x86/node.exe +fa02ae7feca7eb6c4a0f1b929126df400719f5d18a2ec4b7d12c52fbe0b13814 win-x86/node.lib +e8f6da56c9bc73add71a41c4d5ed92fc6cf9e7c5067d7a0d3f7b9fd6391f07c4 win-x86/node_pdb.7z +1b4e9dbc5a8b0a5121d32351f9654c1ab451e88680982d487a4a6c40d50bd730 win-x86/node_pdb.zip +-----BEGIN PGP SIGNATURE----- + +iQGzBAEBCAAdFiEEiQwI24V5Fi/uDfnbi+q0389VXvQFAmaMK0kACgkQi+q0389V +XvRgaQv+N9/ZpHlLeTQUW+rVBWeuqnPDRTUtL68DDSz5hNTy7BG3TcHtRLXx8Vla +ycwlWM5agMl8Ffg05r+F4OwlwWBnLCS0MI+VLfaEKqLoV/VdHyz32bxH7XcmpN/N +DTqm+yKkqVZRjF/ZMkEPR7jj0ZEPu5aczwund8vsEq3LASXCt7xO3Rdbpu1lffiK +YS97ZdiXH6/o5j8+AzqLM0fqNtofJh1/QK1OXQdJfWr9647wJLbQuJEVVt19re1R +7UKkIwT0kdX75+il/z3pm7WFhr9mt4uVZuqIv3cAdq70pFg3W1Z3qbW6MF/+a2Tn +8Ll6eFRuz07cj4gwczcpyBc9i1/8itP1sP0XnknFvF4DRwqqKAn9rZ3+C+LD7uoO +HlOvUVvMdrz+/mFX7u1J2foQLUySSnmP3s24tIlyfgIKxUXy8KUX6hp9mT73U2b8 +wDesvSmMwVDg6e7BQOyJf1n6Sp6DjrjbK0GHsFnxfe8h60eA3oiFNzMYG9NWRr5z +M1gW4Q74 +=798C +-----END PGP SIGNATURE----- +``` From d784afb7bd1b1ce05bdfbb63050398114c693ee7 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 8 Jul 2024 15:24:29 -0300 Subject: [PATCH 3/4] Blog: v18.20.4 release post Refs: https://github.com/nodejs-private/node-private/pull/609 --- apps/site/pages/en/blog/release/v18.20.4.md | 94 +++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 apps/site/pages/en/blog/release/v18.20.4.md diff --git a/apps/site/pages/en/blog/release/v18.20.4.md b/apps/site/pages/en/blog/release/v18.20.4.md new file mode 100644 index 0000000000000..e3e5feb89481c --- /dev/null +++ b/apps/site/pages/en/blog/release/v18.20.4.md @@ -0,0 +1,94 @@ +--- +date: '2024-07-08T18:15:09.898Z' +category: release +title: Node v18.20.4 (LTS) +layout: blog-post +author: Rafael Gonzaga +--- + +## 2024-07-08, Version 18.20.4 'Hydrogen' (LTS), @RafaelGSS + +This is a security release. + +### Notable Changes + +- CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High) +- CVE-2024-22020 - Bypass network import restriction via data URL (Medium) + +### Commits + +- \[[`85abedf1ff`](https://github.com/nodejs/node/commit/85abedf1ff)] - **lib,esm**: handle bypass network-import via data: (RafaelGSS) [nodejs-private/node-private#522](https://github.com/nodejs-private/node-private/pull/522) +- \[[`eccd63b865`](https://github.com/nodejs/node/commit/eccd63b865)] - **src**: handle permissive extension on cmd check (RafaelGSS) [nodejs-private/node-private#596](https://github.com/nodejs-private/node-private/pull/596) + +Windows 32-bit Installer: https://nodejs.org/dist/v18.20.4/node-v18.20.4-x86.msi \ +Windows 64-bit Installer: https://nodejs.org/dist/v18.20.4/node-v18.20.4-x64.msi \ +Windows 32-bit Binary: https://nodejs.org/dist/v18.20.4/win-x86/node.exe \ +Windows 64-bit Binary: https://nodejs.org/dist/v18.20.4/win-x64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v18.20.4/node-v18.20.4.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v18.20.4/node-v18.20.4-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v18.20.4/node-v18.20.4-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v18.20.4/node-v18.20.4-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v18.20.4/node-v18.20.4-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v18.20.4/node-v18.20.4-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v18.20.4/node-v18.20.4-aix-ppc64.tar.gz \ +ARMv7 32-bit Binary: https://nodejs.org/dist/v18.20.4/node-v18.20.4-linux-armv7l.tar.xz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v18.20.4/node-v18.20.4-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v18.20.4/node-v18.20.4.tar.gz \ +Other release files: https://nodejs.org/dist/v18.20.4/ \ +Documentation: https://nodejs.org/docs/v18.20.4/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +8b964752863994f9f74b9aa176584e3a1a9f408a1c57c41d929bc9d2a54020b4 node-v18.20.4-aix-ppc64.tar.gz +aca5b568cc2a7e918037f05168634a921d88f43882c92a01b4ef5e39d0b89414 node-v18.20.4-darwin-arm64.tar.gz +e4ff1ac52a42e8f5eadc59e5bde778e31f246636beae0615a8b82885d8d30f4a node-v18.20.4-darwin-arm64.tar.xz +7d2eb630b66bb39b9cf6bb12b35de833e2445797f2ddc9bcae714e63e75181ca node-v18.20.4-darwin-x64.tar.gz +a868e8a1c27fe5fe329d80dd3b51409cefdf9a7869d9abca42473beae7535e10 node-v18.20.4-darwin-x64.tar.xz +be69a16ef1b0483ca0aacc1c8d0af69e87582356e236fe750e9eef9a6127db1b node-v18.20.4-headers.tar.gz +7d5fa4cf18910fd84d94e800459851c6067aca3646507e408ebcd7e572865eca node-v18.20.4-headers.tar.xz +f4e0b8b1a89e5d6529e517d57b42ac5cbab0562d86e88566d8e90578257e2b16 node-v18.20.4-linux-arm64.tar.gz +1cb5053bd4109aec41a8104ea3e9f48b95b1adef4d23bb4fc64f8c2d90c65ae3 node-v18.20.4-linux-arm64.tar.xz +ce311e7167c8cc0392753119dad55291842c2f4aa7a87a093144fc9338f35b61 node-v18.20.4-linux-armv7l.tar.gz +65686d63e0a73915a57ff487a0f720a502779f97e9cc93b3cc8b74563f8baa85 node-v18.20.4-linux-armv7l.tar.xz +2356de20cb33798690c90270b557e690c34cfd67525e32a0a6301a8176ce0bd8 node-v18.20.4-linux-ppc64le.tar.gz +d3baf8cca1862f42529258e37a715e4e59de7c6d00409e5f8dce31ced8196ed0 node-v18.20.4-linux-ppc64le.tar.xz +654ee94e5695f4c97dc1adc03cf833763ba62865fefb057af7258a20a87be51c node-v18.20.4-linux-s390x.tar.gz +050d3646dc19a2e72f6bb16159af49d25594e9a55fa35f264c34dac7c4665ab6 node-v18.20.4-linux-s390x.tar.xz +c4b0827dc47609d0a8379e6de6c74b3934da0b1312c733b5ebdcac16e3f1e954 node-v18.20.4-linux-x64.tar.gz +592eb35c352c7c0c8c4b2ecf9c19d615e78de68c20b660eb74bd85f8c8395063 node-v18.20.4-linux-x64.tar.xz +235645185550bf8dade9d747d5bd7aa7c901b12433ac743857738df7e94ecde0 node-v18.20.4-win-x64.7z +a2864d9048fb83cc85e3b2c3d18f5731b69cae8964bb029f5cdecbb0820eccd7 node-v18.20.4-win-x64.zip +eab07bf4b4f443448205699d7a4b6d2cfa2e847c2f0d041a8117fcdcedf9e350 node-v18.20.4-win-x86.7z +4939b50f5252ae05b271e20cbdaca36c26c7b78ea817a74fd6098a2435641b91 node-v18.20.4-win-x86.zip +c2654d3557abd59de08474c6dd009b1d358f420b8e4010e4debbf130b1dfb90a node-v18.20.4-x64.msi +dcf8f4a7022be6e3a1f1af875cca6747904f88feda55387daf009308d2844003 node-v18.20.4-x86.msi +0df3e744a2beba9fe91d43a218a82dc23bcf4f6dd0532b35816766e4dd801e49 node-v18.20.4.pkg +349259af6821f730bc4ca3a0e6576efc75ba86e546d118629a5b75eb8ebc3a0b node-v18.20.4.tar.gz +a76c7ea1b96aeb6963a158806260c8094b6244d64a696529d020547b9a95ca2a node-v18.20.4.tar.xz +4dd7333812a5df39cae6c7e69e519328ff61d0e997bdc62c307e3303c73270be win-x64/node.exe +64d93225aaece04e3cd45177d6dea2b22df49e127281fefa3ade43ac46a36cc6 win-x64/node.lib +902520361c065585d8ece561d7e5078ef3f873699c2a0285d536b96fd3dc7816 win-x64/node_pdb.7z +d5c75042e9cfb6852e07ae8460cd14d3ec243926201c8f4cc44e0e3e68538663 win-x64/node_pdb.zip +bb4c0584d5f32a5246dcf02c613f9c11dcd596ab09e5be43144f0ee2fc271a15 win-x86/node.exe +df34047e8ae646e6f43d76ecbec9709a185f29e01f49b377c4c46070cacc2859 win-x86/node.lib +ce1995e9e9f99b05abc4808437eca817dd4bb28500ae9164ea2df7acbac069c6 win-x86/node_pdb.7z +02f8dd1808dce9777374fd1e4874eaddfbb748b55b5c70e70e32bf1388594ed3 win-x86/node_pdb.zip +-----BEGIN PGP SIGNATURE----- + +iQGzBAEBCAAdFiEEiQwI24V5Fi/uDfnbi+q0389VXvQFAmaMKnwACgkQi+q0389V +XvSqGwwAkSTd4L8MQFSEV3R5LalZQtqUQZUwq4VAGQ0ZbYaj8biUbaVt4iQrH4sc +ORPRs9d0DPVOzHLzvBpRziPkIRDGWO70X+QDeXVCus5kCwOOu6p1/31bykLqoxPC +8wVNBGy4MyaH31PdlvdMyCTg+PBHte4/XCztPLg6TUS4WGO90aUZjRQRML1h7Fo2 +EmQnGpVK7bZtQZPKPntt61Q/o48Kh6Q5v1kGTh2HHKy51QMGYQxA72IhdGA807Ri +pljDlqyMFHNfo8cDFD9wlizngun/7QtZpfYLWUZeQvZWEBgrN/Z/mU/5nPQjLF6E +xKSP7ahQkmJaqVTJIWQKQay0AIT8ZXEvV57htY5aeGPn3/WZGe6oahCaLgnBGik+ +itFlt/AfYACwCgR86gc2IpEFsHnZGvs8QCdvbtjn3V1EBL8y6Smzqc1uPU+vHOCy +mC1gXwDoQ9ja+5MREaTdipKKNYypFMeS4xqE0QnDRSjfz/8xzqW9rjy01KZFi/Qw +nrNMO3WM +=Gnr/ +-----END PGP SIGNATURE----- +``` From e3173605c93039d67de20a84e69e55537a815dd2 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 8 Jul 2024 15:25:06 -0300 Subject: [PATCH 4/4] Blog: add post security release --- .../july-2024-security-releases.md | 96 ++++++++++++++++++- apps/site/site.json | 6 +- 2 files changed, 97 insertions(+), 5 deletions(-) diff --git a/apps/site/pages/en/blog/vulnerability/july-2024-security-releases.md b/apps/site/pages/en/blog/vulnerability/july-2024-security-releases.md index 3caaf8bc15a4b..8c003540b3416 100644 --- a/apps/site/pages/en/blog/vulnerability/july-2024-security-releases.md +++ b/apps/site/pages/en/blog/vulnerability/july-2024-security-releases.md @@ -1,12 +1,104 @@ --- -date: 2024-07-02T03:00:00.000Z +date: 2024-07-08T03:00:00.000Z category: vulnerability title: Monday, July 8, 2024 Security Releases slug: july-2024-security-releases layout: blog-post -author: The Node.js Project +author: Rafael Gonzaga --- +## Security releases available + +Updates are now available for the 22.x, 20.x, 18.x Node.js release lines for the +following issues. + +## Bypass incomplete fix of CVE-2024-27980 (CVE-2024-36138) - (High) + +The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. +This vulnerability arises from improper handling of batch files with all +possible extensions on Windows via `child_process.spawn` / `child_process.spawnSync`. +A malicious command line argument can inject arbitrary commands and achieve code execution +even if the shell option is not enabled. + +This vulnerability affects all users of `child_process.spawn` and `child_process.spawnSync` +on Windows in all active release lines. + +Impact: + +- This vulnerability affects all Windows users in active release lines: 22.x, 20.x, 18.x + +Thank you, to tianst for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## Bypass network import restriction via data URL (CVE-2024-22020) - (Medium) + +A security flaw in Node.js allows a bypass of network import restrictions. + +By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. + +Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. + +Exploiting this flaw can violate network import security, posing a risk to developers and servers. + +Impact: + +- This vulnerability affects all users in active release lines: 22.x, 20.x, 18.x + +Thank you, to dittyroma for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## fs.fchown/fchmod bypasses permission model (CVE-2024-36137) - (Low) + +A vulnerability has been identified in Node.js, affecting users of the experimental +permission model when the `--allow-fs-write` flag is used. + +Node.js Permission Model do not operate on file descriptors, however, operations such +as `fs.fchown` or `fs.fchmod` can use a "read-only" file descriptor to change the +owner and permissions of a file. + +This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 22. + +Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. + +Impact: + +- This vulnerability affects all users in active release lines: 22.x, 20.x + +Thank you, to 4xpl0r3r for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## fs.lstat bypasses permission model (CVE-2024-22018) - (Low) + +A vulnerability has been identified in Node.js, affecting users of the experimental permission model when +the `--allow-fs-read` flag is used. +This flaw arises from an inadequate permission model that fails to restrict file stats through the +`fs.lstat` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. + +This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 22. + +Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. + +Impact: + +- This vulnerability affects all users in active release lines: 22.x, 20.x + +Thank you, to haxatron1 for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## Permission model improperly processes UNC paths (CVE-2024-37372) - (low) + +The Permission Model assumes that any path starting with two backslashes \\ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases. + +This vulnerability affects Windows users of the Node.js Permission Model in version v22.x and v20.x + +Impact: + +- This vulnerability affects all users in active release lines: 22.x, 20.x + +Thank you, to tniessen for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## Downloads and release details + +- [Node.js v18.20.4](/blog/release/v18.20.4/) +- [Node.js v20.15.1](/blog/release/v20.15.1/) +- [Node.js v22.4.1](/blog/release/v22.3.1/) + ## (Update 04-Jul-2024) Security Release target July 8th Due to the U.S. National Holiday on July 4th, the Node.js Security Releases will diff --git a/apps/site/site.json b/apps/site/site.json index 5a6560e436626..3ed40c4e5e87c 100644 --- a/apps/site/site.json +++ b/apps/site/site.json @@ -28,9 +28,9 @@ ], "websiteBanners": { "index": { - "startDate": "2024-06-26T00:00:00.000Z", - "endDate": "2024-07-08T23:59:00.000Z", - "text": "New security releases to be made available July 8th, 2024", + "startDate": "2024-07-08T00:00:00.000Z", + "endDate": "2024-07-16T23:59:00.000Z", + "text": "July Security Release is available", "link": "https://nodejs.org/en/blog/vulnerability/july-2024-security-releases", "type": "warning" }