From df9cb97f590fd9eafdee046351450a6015aaae1b Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 8 Apr 2024 10:15:10 -0300 Subject: [PATCH] 2024-04-10, Version 18.20.2 'Hydrogen' (LTS) This is a security release. Notable changes: src: * disallow direct .bat and .cmd file spawning (Ben Noordhuis) https://github.com/nodejs-private/node-private/pull/564 PR-URL: https://github.com/nodejs-private/node-private/pull/578 --- CHANGELOG.md | 3 ++- doc/changelogs/CHANGELOG_V18.md | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7fb7595ca14..1838a4dac92 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -73,7 +73,8 @@ release. 20.0.0
-18.20.1
+18.20.2
+18.20.1
18.20.0
18.19.1
18.19.0
diff --git a/doc/changelogs/CHANGELOG_V18.md b/doc/changelogs/CHANGELOG_V18.md index 5d74af83a59..6a52fc97f66 100644 --- a/doc/changelogs/CHANGELOG_V18.md +++ b/doc/changelogs/CHANGELOG_V18.md @@ -9,6 +9,7 @@ +18.20.2
18.20.1
18.20.0
18.19.1
@@ -69,6 +70,20 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + + +## 2024-04-10, Version 18.20.2 'Hydrogen' (LTS), @RafaelGSS + +This is a security release. + +### Notable Changes + +* CVE-2024-27980 - Command injection via args parameter of `child_process.spawn` without shell option enabled on Windows + +### Commits + +* \[[`6627222409`](https://github.com/nodejs/node/commit/6627222409)] - **src**: disallow direct .bat and .cmd file spawning (Ben Noordhuis) [nodejs-private/node-private#564](https://github.com/nodejs-private/node-private/pull/564) + ## 2024-04-03, Version 18.20.1 'Hydrogen' (LTS), @RafaelGSS