Permalink
Comparing changes
Choose two branches to see whatβs changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 7 commits
- 15,322 files changed
- 2 contributors
Commits on Jun 20, 2023
Commits on Aug 8, 2023
-
deps: upgrade openssl sources to OpenSSL_1_1_1v
This updates all sources in deps/openssl/openssl by: $ git clone https://github.com/quictls/openssl $ cd openssl $ git checkout OpenSSL_1_1_1v+quic $ cd ../node/deps/openssl $ rm -rf openssl $ cp -R ../openssl openssl $ rm -rf openssl/.git* openssl/.travis* $ git add --all openssl $ git commit openssl PR-URL: #49043 -
deps: update archs files for OpenSSL-1.1.1v
After an OpenSSL source update, all the config files need to be regenerated and committed by: $ make -C deps/openssl/config $ git add deps/openssl/config/archs $ git add deps/openssl/openssl/include/crypto/bn_conf.h $ git add deps/openssl/openssl/include/crypto/dso_conf.h $ git add deps/openssl/openssl/include/openssl/opensslconf.h $ git commit PR-URL: #49043 -
policy: disable process.binding() when enabled
process.binding() can be used to trivially bypass restrictions imposed through a policy. Since the function is deprecated already, simply replace it with a stub when a policy is being enabled. Fixes: https://hackerone.com/bugs?report_id=1946470 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2023-32559 PR-URL: nodejs-private/node-private#459
-
policy: handle Module.constructor and main.extensions bypass
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: nodejs-private/node-private#445 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1960870 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2043807 CVE-ID: CVE-2023-32002,CVE-2023-32006
-
2023-08-09, Version 16.20.2 'Gallium' (LTS)
This is a security release. Notable changes: Following CVEs are fixed in this release: * CVE-2023-32002: Policies can be bypassed via Module._load (High) * CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium) * CVE-2023-32559: Policies can be bypassed via process.binding (Medium) * OpenSSL Security Releases * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html PR-URL: nodejs-private/node-private#458
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we canβt render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v16.20.1...v16.20.2