Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nodejs/node
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: f13c7f5
Choose a base ref
...
head repository: nodejs/node
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 9f51c55
Choose a head ref
  • 10 commits
  • 392 files changed
  • 4 contributors

Commits on Jul 20, 2023

  1. Working on v20.5.1 

    PR-URL: #48761
    @juanarbol
    juanarbol committed Jul 20, 2023
    Configuration menu
    Copy the full SHA
    b71cbce View commit details
    Browse the repository at this point in the history

Commits on Aug 8, 2023

  1. lib,permission: restrict process.binding when pm is enabled 

    PR-URL: nodejs-private/node-private#438
Fixes: nodejs-private/node-private#422
CVE-ID: CVE-2023-32558
    @RafaelGSS
    RafaelGSS committed Aug 8, 2023
    Configuration menu
    Copy the full SHA
    1bf3429 View commit details
    Browse the repository at this point in the history

  2. permission: handle fstatfs and add pm supported list 

    PR-URL: nodejs-private/node-private#441
CVE-ID: CVE-2023-32005
    @RafaelGSS
    RafaelGSS committed Aug 8, 2023
    Configuration menu
    Copy the full SHA
    bd094d6 View commit details
    Browse the repository at this point in the history

Commits on Aug 9, 2023

  1. deps: upgrade openssl sources to quictls/openssl-3.0.10+quic1 

    Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
PR-URL: #49036
    @nodejs-github-bot @RafaelGSS
    nodejs-github-bot authored and RafaelGSS committed Aug 9, 2023
    Configuration menu
    Copy the full SHA
    559698a View commit details
    Browse the repository at this point in the history

  2. deps: update archs files for openssl-3.0.10+quic1 

    Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
PR-URL: #49036
    @nodejs-github-bot @RafaelGSS
    nodejs-github-bot authored and RafaelGSS committed Aug 9, 2023
    Configuration menu
    Copy the full SHA
    92300b5 View commit details
    Browse the repository at this point in the history

  3. policy: disable process.binding() when enabled 

    process.binding() can be used to trivially bypass restrictions imposed
through a policy. Since the function is deprecated already, simply
replace it with a stub when a policy is being enabled.

Fixes: https://hackerone.com/bugs?report_id=1946470
PR-URL: nodejs-private/node-private#397
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2023-32559
    @tniessen @RafaelGSS
    tniessen authored and RafaelGSS committed Aug 9, 2023
    Configuration menu
    Copy the full SHA
    cf348ec View commit details
    Browse the repository at this point in the history

  4. permission: handle buffer path on fs calls 

    Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2038134
PR-URL: nodejs-private/node-private#439
    @RafaelGSS
    RafaelGSS committed Aug 9, 2023
    Configuration menu
    Copy the full SHA
    1f0cde4 View commit details
    Browse the repository at this point in the history

  5. permission: ensure to resolve path when calling mkdtemp 

    PR-URL: nodejs-private/node-private#464
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2037887
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
    @RafaelGSS
    RafaelGSS committed Aug 9, 2023
    Configuration menu
    Copy the full SHA
    98a83a6 View commit details
    Browse the repository at this point in the history

  6. policy: handle Module.constructor and main.extensions bypass 

    Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: nodejs-private/node-private#417
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1960870
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2043807
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
CVE-ID: CVE-2023-32002,CVE-2023-32006
    @RafaelGSS
    RafaelGSS committed Aug 9, 2023
    Configuration menu
    Copy the full SHA
    7337d21 View commit details
    Browse the repository at this point in the history

  7. 2023-08-09, Version 20.5.1 (Current) 

    This is a security release.

Notable changes:

* CVE-2023-32002: Policies can be bypassed via Module.\_load (High)
* CVE-2023-32558: process.binding() can bypass the permission model through path traversal (High)
* CVE-2023-32004: Permission model can be bypassed by specifying a path traversal sequence in a Buffer (High)
* CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
* CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
* CVE-2023-32005: fs.statfs can bypass the permission model (Low)
* CVE-2023-32003: fs.mkdtemp() and fs.mkdtempSync() can bypass the permission model (Low)
* OpenSSL Security Releases
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html

PR-URL: nodejs-private/node-private#465
    @RafaelGSS
    RafaelGSS committed Aug 9, 2023
    Configuration menu
    Copy the full SHA
    9f51c55 View commit details
    Browse the repository at this point in the history
Loading