2023-08-09, Version 18.17.1 'Hydrogen' (LTS), @RafaelGSS
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-32002: Policies can be bypassed via Module._load (High)
- CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
- CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
- OpenSSL Security Releases
More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.
Commits
- [
fe3abdf82e
] - deps: update archs files for openssl-3.0.10+quic1 (Node.js GitHub Bot) #49036 - [
2c5a522d9c
] - deps: upgrade openssl sources to quictls/openssl-3.0.10+quic1 (Node.js GitHub Bot) #49036 - [
15bced0bde
] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#417 - [
d4570fae35
] - policy: disable process.binding() when enabled (Tobias Nießen) nodejs-private/node-private#460