Node.js - v16.20.2
Security
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-32002: Policies can be bypassed via Module._load (High)
- CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
- CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
- OpenSSL Security Releases
- OpenSSL security advisory 14th July.
- OpenSSL security advisory 19th July.
- OpenSSL security advisory 31st July
More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.
Commits
- [
40c3958a5a
] - deps: update archs files for OpenSSL-1.1.1v (RafaelGSS) #49043 - [
a9ac9da89a
] - deps: fix openssl crypto clean (RafaelGSS) #49043 - [
362d4c7494
] - deps: upgrade openssl sources to OpenSSL_1_1_1v (RafaelGSS) #49043 - [
d8ccfe9ad4
] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#445 - [
242aaa0caa
] - policy: disable process.binding() when enabled (Tobias NieΓen) nodejs-private/node-private#459
Security
Details
date
Aug. 9, 2023, 5:57 p.m.
name
2023-08-09, Version 16.20.2 'Gallium' (LTS), @RafaelGSS
type
Patch
official page
π
Register or login to:
- πView and search all Node.js releases.
- π οΈCreate and share lists to track your tools.
- π¨Setup notifications for major, security, feature or patch updates.
- πMuch more coming soon!