This is a security release.
Notable Changes
The following CVEs are fixed in this release:
* CVE-2023-30581: `mainModule.__proto__` Bypass Experimental Policy Mechanism (High)
* CVE-2023-30584: Path Traversal Bypass in Experimental Permission Model (High)
* CVE-2023-30587: Bypass of Experimental Permission Model via Node.js Inspector (High)
* CVE-2023-30582: Inadequate Permission Model Allows Unauthorized File Watching (Medium)
* CVE-2023-30583: Bypass of Experimental Permission Model via fs.openAsBlob() (Medium)
* CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
* CVE-2023-30586: Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium)
* CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
* CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
* CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
* OpenSSL Security Releases
* [OpenSSL security advisory 28th March](https://www.openssl.org/news/secadv/20230328.txt).
* [OpenSSL security advisory 20th April](https://www.openssl.org/news/secadv/20230420.txt).
* [OpenSSL security advisory 30th May](https://www.openssl.org/news/secadv/20230530.txt)
PR-URL: https://github.com/nodejs-private/node-private/pull/435
This is a security release.
Notable changes:
Following CVEs are fixed in this release:
* CVE-2023-30581: `mainModule.__proto__` Bypass Experimental Policy Mechanism (High)
* CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
* CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
* CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
* CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
* OpenSSL Security Releases
* https://www.openssl.org/news/secadv/20230328.txt
* https://www.openssl.org/news/secadv/20230420.txt
* https://www.openssl.org/news/secadv/20230530.txt
* c-ares vulnerabilities:
* GHSA-9g78-jv2r-p7vc
* GHSA-8r8p-23f3-64c2
* GHSA-54xr-f67r-4pc4
* GHSA-x6mf-cxr9-8q6v
PR-URL: https://github.com/nodejs-private/node-private/pull/432
For cross-platform compatibility use perl instead of sed.
Fixes: https://github.com/nodejs/node/issues/48496
PR-URL: https://github.com/nodejs/node/pull/48499
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Mestery <mestery@protonmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit:
1. Adds a link to the WinterCG Runtime Keys proposal draft spec in the
documentation for the `export` condition.
2. Adds a criteria to add more export conditions to the Node.js docs:
they should be Node.js core-relevant.
3. Removes the "deno" and "react-native" export conditions from the core
docs with the expectation that readers will follow the link to the
Runtime Keys proposal draft spec to learn about them and more.
PR-URL: https://github.com/nodejs/node/pull/48408
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Jacob Smith <jacob@frende.me>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/48377
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
This change is a fix for handling headersTimeout and requestTimeout
that causes unexpected behavior if the HTTP server is started on boot:
- the connections to the server can be closed immediately
with the status HTTP 408
This issue usually happens on IoT or embedded devices where
the reference timestamp (returned by uv_hrtime()) is counted since boot
and can be smaller than the headersTimeout or the requestTimeout value.
Additionally added performance improvement to process the list of
connection only if one of the timers should be processed
PR-URL: https://github.com/nodejs/node/pull/48291
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/48451
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Introduce APIs that allow for the creation of JavaScript strings without
copying the underlying native string into the engine. The APIs fall back
to regular string creation if the engine's external string APIs are
unavailable. In this case, an optional boolean out-parameter indicates
that the string was copied, and the optional finalizer is called if
given.
PR-URL: https://github.com/nodejs/node/pull/48339
Fixes: https://github.com/nodejs/node/issues/48198
Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com>
Signed-off-by: Gabriel Schulhof <gabrielschulhof@gmail.com>
The binding data must be weak so that it won't keep the realm reachable
from strong GC roots indefinitely. The wrapper object of binding data
should be referenced from JavaScript, thus the binding data should be
reachable throughout the lifetime of the realm.
PR-URL: https://github.com/nodejs/node/pull/47688
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
An AliasedBuffer can be nested in a BaseObject and their weak callbacks
invoke order are not guaranteed. Prevent aliased buffer from being
accessed in its weak callback as its validness can be checked with the
emptiness of the persistent handle.
PR-URL: https://github.com/nodejs/node/pull/47688
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/48150
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
This is the certdata.txt[0] from NSS 3.90, released on 2023-04-06.
This is the version of NSS that shipped in Firefox 113 on
2023-05-09.
Certificates added:
- BJCA Global Root CA1
- BJCA Global Root CA2
[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_90_RTM/lib/ckfw/builtins/certdata.txt
PR-URL: https://github.com/nodejs/node/pull/48416
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
The OPENSSL_FIPS guard is only needed for versions of OpenSSL earlier
than 3.0.
Removing the guard for OpenSSL 3 fixes `parallel/test-crypto-fips`
when run with a FIPS enabled OpenSSL 3 configuration.
PR-URL: https://github.com/nodejs/node/pull/48392
Refs: https://github.com/nodejs/node/issues/48379
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
fix: #46559
OSX will raise both SIGBUS and SIGSEGV when out of bound memory visit,
This commit set sigaction in OSX for two signals to handle this.
PR-URL: https://github.com/nodejs/node/pull/46561
Fixes: https://github.com/nodejs/node/issues/46559
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
The connection interval should close when httpsServer.close is called
similarly to how it gets cleared when httpServer.close is called.
fixes: https://github.com/nodejs/node/issues/48373
PR-URL: https://github.com/nodejs/node/pull/48383
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/46826
Reviewed-By: Jacob Smith <jacob@frende.me>
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
- Run the embedder entry point directly through
runEmbedderEntryPoint(), instead of going through another
JS -> C++ trip through the function returned by
getEmbedderEntryFunction()
- For --build-snapshot, read the snapshot script code directly in C++
and pass it to SnapshotBuilder::Generate(), this makes the entry point
more explicit instead of hiding it in JS land, and also makes it
possible to invoke SnapshotBuilder::Generate() internally to create
a custom snapshot.
- Previously we used process.execPath for the embedder to create
__filename and __dirname in the snapshot builder script while using
process.argv[1] for --build-snapshot (where it's always set) which
results in inconsistencies. We now require the embedder to also set
args[1] when creating the Environment if they intend to run snapshot
scripts with a context that contains __filename and __dirname, which
would be derived from args[1]. If they prefer not to include
build-time paths in the snapshot, we now provide
node::GetAnonymousMainPath() as an alternative.
PR-URL: https://github.com/nodejs/node/pull/48242
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
GCC 14 drops some transitive includes within libstdc++.
Explicitly include <algorithm> for std::find.
Signed-off-by: Sam James <sam@gentoo.org>
PR-URL: https://github.com/nodejs/node/pull/48380
Reviewed-By: LiviaMedeiros <livia@cirno.name>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matthew Aitken <maitken033380023@gmail.com>
- Move the initialization of process.setSourceMapsEnabled
and the maybeCacheGeneratedSourceMap callback to
bootstrap/node.js so they are included in the snapshot.
- Simplify the handling of --enable-source-maps by explicitly
calling setSourceMapsEnabled() during pre-execution.
PR-URL: https://github.com/nodejs/node/pull/48304
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Instead of adding a special case for it in the internal binding
loader, just implement it as usual using a per-context property
initializer.
PR-URL: https://github.com/nodejs/node/pull/48186
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
This patch removes special case in the internal binding loader
for natives, and implements it using the builtins internal
binding. Internally we do not actually need the natives binding,
so implement it as a legacy wrapper instead.
PR-URL: https://github.com/nodejs/node/pull/48186
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
