2024-02-14, Version 21.6.2 (Current)

This is a security release. Notable changes: crypto: * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525 deps: * upgrade libuv to 1.48.0 (Santiago Gimeno) https://github.com/nodejs/node/pull/51698 * disable io_uring support in libuv by default (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/528 fs: * protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/497 http: * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/518 lib: * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/538 * use cache fs internals against path traversal (RafaelGSS) https://github.com/nodejs-private/node-private/pull/516 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505 src,deps: * disable setuid() etc if io_uring enabled (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/528 test,doc: * clarify wildcard usage (RafaelGSS) https://github.com/nodejs-private/node-private/pull/517 zlib: * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/540 PR-URL: https://github.com/nodejs-private/node-private/pull/543
2024-11-21 10:59:27 +00:00 · 2024-02-07 11:16:21 -03:00 · 2024-02-07 11:16:21 -03:00 · b43171c6f6
commit b43171c6f6
parent 5405aa5b90
3 changed files with 42 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -36,7 +36,8 @@ release.
 </tr>
 <tr>
  <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V21.md#21.6.1">21.6.1</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V21.md#21.6.2">21.6.2</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V21.md#21.6.1">21.6.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V21.md#21.6.0">21.6.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V21.md#21.5.0">21.5.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V21.md#21.4.0">21.4.0</a><br/>
--- a/doc/api/errors.md
+++ b/doc/api/errors.md
@ -3175,6 +3175,7 @@ an `Error` with this code will be emitted.

 <!-- YAML
 added:
+ - v21.6.2
 - v20.11.1
 - v18.19.1
 -->
--- a/doc/changelogs/CHANGELOG_V21.md
+++ b/doc/changelogs/CHANGELOG_V21.md
@ -8,6 +8,7 @@
 </tr>
 <tr>
 <td>
+<a href="#21.6.2">21.6.2</a><br/>
 <a href="#21.6.1">21.6.1</a><br/>
 <a href="#21.6.0">21.6.0</a><br/>
 <a href="#21.5.0">21.5.0</a><br/>
@ -43,6 +44,44 @@
  * [io.js](CHANGELOG_IOJS.md)
  * [Archive](CHANGELOG_ARCHIVE.md)

+<a id="21.6.2"></a>
+
+## 2024-02-14, Version 21.6.2 (Current), @RafaelGSS
+
+### Notable changes
+
+This is a security release.
+
+### Notable changes
+
+* CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
+* CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
+* CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
+* CVE-2024-22017 - setuid() does not drop all privileges due to io\_uring - (High)
+* CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
+* CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
+* CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
+* CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
+* undici version 5.28.3
+* libuv version 1.48.0
+* OpenSSL version 3.0.13+quic1
+
+### Commits
+
+* \[[`8344719369`](https://github.com/nodejs/node/commit/8344719369)] - **crypto**: disable PKCS#1 padding for privateDecrypt (Michael Dawson) [nodejs-private/node-private#525](https://github.com/nodejs-private/node-private/pull/525)
+* \[[`d093600ac4`](https://github.com/nodejs/node/commit/d093600ac4)] - **deps**: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) [#51614](https://github.com/nodejs/node/pull/51614)
+* \[[`6cd930e5e8`](https://github.com/nodejs/node/commit/6cd930e5e8)] - **deps**: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) [#51614](https://github.com/nodejs/node/pull/51614)
+* \[[`9590c15d3d`](https://github.com/nodejs/node/commit/9590c15d3d)] - **deps**: upgrade libuv to 1.48.0 (Santiago Gimeno) [#51698](https://github.com/nodejs/node/pull/51698)
+* \[[`666096298c`](https://github.com/nodejs/node/commit/666096298c)] - **deps**: disable io\_uring support in libuv by default (Tobias Nießen) [nodejs-private/node-private#528](https://github.com/nodejs-private/node-private/pull/528)
+* \[[`a4edd22e30`](https://github.com/nodejs/node/commit/a4edd22e30)] - **fs**: protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) [nodejs-private/node-private#497](https://github.com/nodejs-private/node-private/pull/497)
+* \[[`6155a1ffaf`](https://github.com/nodejs/node/commit/6155a1ffaf)] - **http**: add maximum chunk extension size (Paolo Insogna) [nodejs-private/node-private#518](https://github.com/nodejs-private/node-private/pull/518)
+* \[[`777509495e`](https://github.com/nodejs/node/commit/777509495e)] - **lib**: use cache fs internals against path traversal (RafaelGSS) [nodejs-private/node-private#516](https://github.com/nodejs-private/node-private/pull/516)
+* \[[`9d2ac2b3fc`](https://github.com/nodejs/node/commit/9d2ac2b3fc)] - **lib**: update undici to v5.28.3 (Matteo Collina) [nodejs-private/node-private#538](https://github.com/nodejs-private/node-private/pull/538)
+* \[[`208b3940c7`](https://github.com/nodejs/node/commit/208b3940c7)] - **src**: fix HasOnly(capability) in node::credentials (Tobias Nießen) [nodejs-private/node-private#505](https://github.com/nodejs-private/node-private/pull/505)
+* \[[`fc2454f29c`](https://github.com/nodejs/node/commit/fc2454f29c)] - **src,deps**: disable setuid() etc if io\_uring enabled (Tobias Nießen) [nodejs-private/node-private#528](https://github.com/nodejs-private/node-private/pull/528)
+* \[[`ef3eea20be`](https://github.com/nodejs/node/commit/ef3eea20be)] - **test,doc**: clarify wildcard usage (RafaelGSS) [nodejs-private/node-private#517](https://github.com/nodejs-private/node-private/pull/517)
+* \[[`8547196964`](https://github.com/nodejs/node/commit/8547196964)] - **zlib**: pause stream if outgoing buffer is full (Matteo Collina) [nodejs-private/node-private#540](https://github.com/nodejs-private/node-private/pull/540)
+
 <a id="21.6.1"></a>

 ## 2024-01-22, Version 21.6.1 (Current), @RafaelGSS