From 31c6fa732f64ad3cb3f7ba96d2332e26af62e1ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Fri, 13 Oct 2023 23:50:30 +0200 Subject: [PATCH] blog: make minor improvements to latest posts (#5994) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * blog: make minor improvements to latest posts * Update pages/en/blog/release/v20.8.1.md Co-authored-by: Richard Lau Signed-off-by: Tobias Nießen --------- Signed-off-by: Tobias Nießen Co-authored-by: Richard Lau --- pages/en/blog/release/v18.18.2.md | 28 +++++++++---------- pages/en/blog/release/v20.8.1.md | 28 +++++++++---------- .../october-2023-security-releases.md | 19 ++++++------- 3 files changed, 37 insertions(+), 38 deletions(-) diff --git a/pages/en/blog/release/v18.18.2.md b/pages/en/blog/release/v18.18.2.md index 91a3431cd7f2b..283c84b9fa2cf 100644 --- a/pages/en/blog/release/v18.18.2.md +++ b/pages/en/blog/release/v18.18.2.md @@ -10,25 +10,25 @@ author: Rafael Gonzaga The following CVEs are fixed in this release: -* [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High) -* [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High) -* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) -* [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low) +- [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High) +- [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High) +- [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) +- [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low) More detailed information on each of the vulnerabilities can be found in [October 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/) blog post. ### Commits -* \[[`55028468db`](https://github.com/nodejs/node/commit/55028468db)] - **deps**: update undici to v5.26.3 (Matteo Collina) [#50153](https://github.com/nodejs/node/pull/50153) -* \[[`a792bbc515`](https://github.com/nodejs/node/commit/a792bbc515)] - **deps**: update nghttp2 to 1.57.0 (James M Snell) [#50121](https://github.com/nodejs/node/pull/50121) -* \[[`f6444defa4`](https://github.com/nodejs/node/commit/f6444defa4)] - **deps**: update nghttp2 to 1.56.0 (Node.js GitHub Bot) [#49582](https://github.com/nodejs/node/pull/49582) -* \[[`7e9b08dfd4`](https://github.com/nodejs/node/commit/7e9b08dfd4)] - **deps**: update nghttp2 to 1.55.1 (Node.js GitHub Bot) [#48790](https://github.com/nodejs/node/pull/48790) -* \[[`85672c153f`](https://github.com/nodejs/node/commit/85672c153f)] - **deps**: update nghttp2 to 1.55.0 (Node.js GitHub Bot) [#48746](https://github.com/nodejs/node/pull/48746) -* \[[`300a902422`](https://github.com/nodejs/node/commit/300a902422)] - **deps**: update nghttp2 to 1.53.0 (Node.js GitHub Bot) [#47997](https://github.com/nodejs/node/pull/47997) -* \[[`7d83ed0bf6`](https://github.com/nodejs/node/commit/7d83ed0bf6)] - _**Revert**_ "**deps**: update nghttp2 to 1.55.0" (Richard Lau) [#50151](https://github.com/nodejs/node/pull/50151) -* \[[`1193ca5fdb`](https://github.com/nodejs/node/commit/1193ca5fdb)] - **lib**: let deps require `node` prefixed modules (Matthew Aitken) [#50047](https://github.com/nodejs/node/pull/50047) -* \[[`eaf9083cf1`](https://github.com/nodejs/node/commit/eaf9083cf1)] - **module**: fix code injection through export names (Tobias Nießen) [nodejs-private/node-private#461](https://github.com/nodejs-private/node-private/pull/461) -* \[[`1c538938cc`](https://github.com/nodejs/node/commit/1c538938cc)] - **policy**: use tamper-proof integrity check function (Tobias Nießen) [nodejs-private/node-private#462](https://github.com/nodejs-private/node-private/pull/462) +- \[[`55028468db`](https://github.com/nodejs/node/commit/55028468db)] - **deps**: update undici to v5.26.3 (Matteo Collina) [#50153](https://github.com/nodejs/node/pull/50153) +- \[[`a792bbc515`](https://github.com/nodejs/node/commit/a792bbc515)] - **deps**: update nghttp2 to 1.57.0 (James M Snell) [#50121](https://github.com/nodejs/node/pull/50121) +- \[[`f6444defa4`](https://github.com/nodejs/node/commit/f6444defa4)] - **deps**: update nghttp2 to 1.56.0 (Node.js GitHub Bot) [#49582](https://github.com/nodejs/node/pull/49582) +- \[[`7e9b08dfd4`](https://github.com/nodejs/node/commit/7e9b08dfd4)] - **deps**: update nghttp2 to 1.55.1 (Node.js GitHub Bot) [#48790](https://github.com/nodejs/node/pull/48790) +- \[[`85672c153f`](https://github.com/nodejs/node/commit/85672c153f)] - **deps**: update nghttp2 to 1.55.0 (Node.js GitHub Bot) [#48746](https://github.com/nodejs/node/pull/48746) +- \[[`300a902422`](https://github.com/nodejs/node/commit/300a902422)] - **deps**: update nghttp2 to 1.53.0 (Node.js GitHub Bot) [#47997](https://github.com/nodejs/node/pull/47997) +- \[[`7d83ed0bf6`](https://github.com/nodejs/node/commit/7d83ed0bf6)] - _**Revert**_ "**deps**: update nghttp2 to 1.55.0" (Richard Lau) [#50151](https://github.com/nodejs/node/pull/50151) +- \[[`1193ca5fdb`](https://github.com/nodejs/node/commit/1193ca5fdb)] - **lib**: let deps require `node` prefixed modules (Matthew Aitken) [#50047](https://github.com/nodejs/node/pull/50047) +- \[[`eaf9083cf1`](https://github.com/nodejs/node/commit/eaf9083cf1)] - **module**: fix code injection through export names (Tobias Nießen) [nodejs-private/node-private#461](https://github.com/nodejs-private/node-private/pull/461) +- \[[`1c538938cc`](https://github.com/nodejs/node/commit/1c538938cc)] - **policy**: use tamper-proof integrity check function (Tobias Nießen) [nodejs-private/node-private#462](https://github.com/nodejs-private/node-private/pull/462) Windows 32-bit Installer: https://nodejs.org/dist/v18.18.2/node-v18.18.2-x86.msi \ Windows 64-bit Installer: https://nodejs.org/dist/v18.18.2/node-v18.18.2-x64.msi \ diff --git a/pages/en/blog/release/v20.8.1.md b/pages/en/blog/release/v20.8.1.md index 9ba2f7b4b3448..c8c633a212573 100644 --- a/pages/en/blog/release/v20.8.1.md +++ b/pages/en/blog/release/v20.8.1.md @@ -10,27 +10,27 @@ author: Rafael Gonzaga The following CVEs are fixed in this release: -* [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High) -* [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High) -* [CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332): Path traversal through path stored in Uint8Array (High) -* [CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331): Permission model improperly protects against path traversal (High) -* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) -* [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low) +- [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High) +- [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High) +- [CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332): Path traversal through path stored in Uint8Array (High) +- [CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331): Permission model improperly protects against path traversal (High) +- [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) +- [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low) More detailed information on each of the vulnerabilities can be found in [October 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/) blog post. ### Commits -* \[[`c86883e844`](https://github.com/nodejs/node/commit/c86883e844)] - **deps**: update nghttp2 to 1.57.0 (James M Snell) [#50121](https://github.com/nodejs/node/pull/50121) -* \[[`2860631359`](https://github.com/nodejs/node/commit/2860631359)] - **deps**: update undici to v5.26.3 (Matteo Collina) [#50153](https://github.com/nodejs/node/pull/50153) -* \[[`cd37838bf8`](https://github.com/nodejs/node/commit/cd37838bf8)] - **lib**: let deps require `node` prefixed modules (Matthew Aitken) [#50047](https://github.com/nodejs/node/pull/50047) -* \[[`f5c90b2951`](https://github.com/nodejs/node/commit/f5c90b2951)] - **module**: fix code injection through export names (Tobias Nießen) [nodejs-private/node-private#461](https://github.com/nodejs-private/node-private/pull/461) -* \[[`fa5dae1944`](https://github.com/nodejs/node/commit/fa5dae1944)] - **permission**: fix Uint8Array path traversal (Tobias Nießen) [nodejs-private/node-private#456](https://github.com/nodejs-private/node-private/pull/456) -* \[[`cd35275111`](https://github.com/nodejs/node/commit/cd35275111)] - **permission**: improve path traversal protection (Tobias Nießen) [nodejs-private/node-private#456](https://github.com/nodejs-private/node-private/pull/456) -* \[[`a4cb7fc7c0`](https://github.com/nodejs/node/commit/a4cb7fc7c0)] - **policy**: use tamper-proof integrity check function (Tobias Nießen) [nodejs-private/node-private#462](https://github.com/nodejs-private/node-private/pull/462) +- \[[`c86883e844`](https://github.com/nodejs/node/commit/c86883e844)] - **deps**: update nghttp2 to 1.57.0 (James M Snell) [#50121](https://github.com/nodejs/node/pull/50121) +- \[[`2860631359`](https://github.com/nodejs/node/commit/2860631359)] - **deps**: update undici to v5.26.3 (Matteo Collina) [#50153](https://github.com/nodejs/node/pull/50153) +- \[[`cd37838bf8`](https://github.com/nodejs/node/commit/cd37838bf8)] - **lib**: let deps require `node` prefixed modules (Matthew Aitken) [#50047](https://github.com/nodejs/node/pull/50047) +- \[[`f5c90b2951`](https://github.com/nodejs/node/commit/f5c90b2951)] - **module**: fix code injection through export names (Tobias Nießen) [nodejs-private/node-private#461](https://github.com/nodejs-private/node-private/pull/461) +- \[[`fa5dae1944`](https://github.com/nodejs/node/commit/fa5dae1944)] - **permission**: fix Uint8Array path traversal (Tobias Nießen) [nodejs-private/node-private#456](https://github.com/nodejs-private/node-private/pull/456) +- \[[`cd35275111`](https://github.com/nodejs/node/commit/cd35275111)] - **permission**: improve path traversal protection (Tobias Nießen) [nodejs-private/node-private#456](https://github.com/nodejs-private/node-private/pull/456) +- \[[`a4cb7fc7c0`](https://github.com/nodejs/node/commit/a4cb7fc7c0)] - **policy**: use tamper-proof integrity check function (Tobias Nießen) [nodejs-private/node-private#462](https://github.com/nodejs-private/node-private/pull/462) Windows 32-bit Installer: https://nodejs.org/dist/v20.8.1/node-v20.8.1-x86.msi \ -Windows 64-bit Installer: *Coming soon* \ +Windows 64-bit Installer: https://nodejs.org/dist/v20.8.1/node-v20.8.1-x64.msi \ Windows ARM 64-bit Installer: https://nodejs.org/dist/v20.8.1/node-v20.8.1-arm64.msi \ Windows 32-bit Binary: https://nodejs.org/dist/v20.8.1/win-x86/node.exe \ Windows 64-bit Binary: https://nodejs.org/dist/v20.8.1/win-x64/node.exe \ diff --git a/pages/en/blog/vulnerability/october-2023-security-releases.md b/pages/en/blog/vulnerability/october-2023-security-releases.md index f28462e54ac4d..69fc787ec7545 100644 --- a/pages/en/blog/vulnerability/october-2023-security-releases.md +++ b/pages/en/blog/vulnerability/october-2023-security-releases.md @@ -22,12 +22,12 @@ More details area available in [GHSA-wqq4-5wpv-mx2g](https://github.com/nodejs/u ## nghttp2 - HTTP/2 Rapid Reset (High) - (CVE-2023-44487) -Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service. +Rapidly creating and cancelling streams (`HEADERS` frame immediately followed by `RST_STREAM`) without bound causes denial of service. See https://www.cve.org/CVERecord?id=CVE-2023-44487 for details. Impacts: -* This vulnerability affects all users of HTTP2 servers in all active +- This vulnerability affects all users of HTTP/2 servers in all active release lines 18.x and 20.x. ## Permission model improperly protects against path traversal (High) - (CVE-2023-39331) @@ -38,7 +38,7 @@ overwriting built-in utility functions with user-defined implementations. Impacts: -* This vulnerability affects all users using the experimental permission model in Node.js 20.x. +- This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE is issued, the permission model is an experimental feature of Node.js. @@ -57,7 +57,7 @@ which only referred to `Buffer` objects. However, the vulnerability follows the Impacts: -* This vulnerability affects all users using the experimental permission model in Node.js 20.x. +- This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE is issued, the permission model is an experimental feature of Node.js. @@ -72,14 +72,13 @@ thus effectively disabling the integrity check. Impacts: -* This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. +- This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE is issued, the policy mechanism is an experimental feature of Node.js. Thanks to [Tobias Nießen](https://github.com/tniessen) who reported and created the security patch. - ## Code injection via WebAssembly export names (Low) - (CVE-2023-39333) Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. @@ -88,7 +87,7 @@ similar to as if the WebAssembly module was a JavaScript module. Impacts: -* This vulnerability affects users of the `--experimental-wasm-modules` command line option in all active release lines 18.x and 20.x. +- This vulnerability affects users of the `--experimental-wasm-modules` command line option in all active release lines 18.x and 20.x. Thanks to dittyroma for reporting the issue and to [Tobias Nießen](https://github.com/tniessen) for fixing it. @@ -105,8 +104,8 @@ The Node.js project will release new versions of the 18.x and 20.x releases lines on or shortly after, Friday October 13 2023 in order to address: - 2 high severity issues. -- 1 medium severity issues. -- 1 low severity issues. +- 1 medium severity issue. +- 1 low severity issue. - undici October security updates - nghttp2 October security updates @@ -124,6 +123,6 @@ Releases will be available on, or shortly after, Friday October 13 2023. ## Contact and future updates -The current Node.js security policy can be found at . Please follow the process outlined in if you wish to report a vulnerability in Node.js. +The current Node.js security policy can be found at . Please follow the process outlined in if you wish to report a vulnerability in Node.js. Subscribe to the low-volume announcement-only nodejs-sec mailing list at to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.