2024-04-10, Version 21.7.3 (Current)

This is a security release. Notable changes: src: * disallow direct .bat and .cmd file spawning (Ben Noordhuis) https://github.com/nodejs-private/node-private/pull/562 PR-URL: https://github.com/nodejs-private/node-private/pull/580
2024-11-21 10:59:27 +00:00 · 2024-04-08 11:06:03 -03:00 · 2024-04-08 11:06:03 -03:00 · e56adf6795
commit e56adf6795
parent 7b01bfb2be
2 changed files with 17 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -36,7 +36,8 @@ release.
 </tr>
 <tr>
  <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V21.md#21.7.2">21.7.2</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V21.md#21.7.3">21.7.3</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V21.md#21.7.2">21.7.2</a><br/>
 <a href="doc/changelogs/CHANGELOG_V21.md#21.7.1">21.7.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V21.md#21.7.0">21.7.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V21.md#21.6.2">21.6.2</a><br/>
--- a/doc/changelogs/CHANGELOG_V21.md
+++ b/doc/changelogs/CHANGELOG_V21.md
@ -8,6 +8,7 @@
 </tr>
 <tr>
 <td>
+<a href="#21.7.3">21.7.3</a><br/>
 <a href="#21.7.2">21.7.2</a><br/>
 <a href="#21.7.1">21.7.1</a><br/>
 <a href="#21.7.0">21.7.0</a><br/>
@ -47,6 +48,20 @@
  * [io.js](CHANGELOG_IOJS.md)
  * [Archive](CHANGELOG_ARCHIVE.md)

+<a id="21.7.3"></a>
+
+## 2024-04-10, Version 21.7.3 (Current), @RafaelGSS
+
+This is a security release.
+
+### Notable Changes
+
+* CVE-2024-27980 - Command injection via args parameter of `child_process.spawn` without shell option enabled on Windows
+
+### Commits
+
+* \[[`9095c914ed`](https://github.com/nodejs/node/commit/9095c914ed)] - **src**: disallow direct .bat and .cmd file spawning (Ben Noordhuis) [nodejs-private/node-private#562](https://github.com/nodejs-private/node-private/pull/562)
+
 <a id="21.7.2"></a>

 ## 2024-04-03, Version 21.7.2 (Current), @RafaelGSS prepared by @marco-ippolito