blog: add pos release announcement #5993
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
| * \[[`a4cb7fc7c0`](https://github.com/nodejs/node/commit/a4cb7fc7c0)] - **policy**: use tamper-proof integrity check function (Tobias Nießen) [nodejs-private/node-private#462](https://github.com/nodejs-private/node-private/pull/462) | ||
|
|
||
| Windows 32-bit Installer: https://nodejs.org/dist/v20.8.1/node-v20.8.1-x86.msi \ | ||
| Windows 64-bit Installer: *Coming soon* \ |
There was a problem hiding this comment.
Is it expected? @richardlau
There was a problem hiding this comment.
No. 😕
| Windows 64-bit Installer: *Coming soon* \ | |
| Windows 64-bit Installer: https://nodejs.org/dist/v20.8.1/node-v20.8.1-x64.msi \ |
github-actions
bot
removed
the
github_actions:pull-request
Unit Test Coverage Report
Unit Test Report
|
|
|
||
| * [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High) | ||
| * [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High) | ||
| * [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) |
There was a problem hiding this comment.
| * [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) | |
| * [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) |
| * [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High) | ||
| * [CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332): Path traversal through path stored in Uint8Array (High) | ||
| * [CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331): Permission model improperly protects against path traversal (High) | ||
| * [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) |
There was a problem hiding this comment.
| * [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) | |
| * [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) |
|
|
||
| ## nghttp2 - HTTP/2 Rapid Reset (High) - (CVE-2023-44487) | ||
|
|
||
| Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service. |
There was a problem hiding this comment.
| Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service. | |
| Rapidly creating and cancelling streams (`HEADERS` frame immediately followed by `RST_STREAM`) without bound causes denial of service. |
|
|
||
| Impacts: | ||
|
|
||
| * This vulnerability affects all users of HTTP2 servers in all active |
There was a problem hiding this comment.
| * This vulnerability affects all users of HTTP2 servers in all active | |
| * This vulnerability affects all users of HTTP/2 servers in all active |
|
|
||
|
|
| - 1 medium severity issues. | ||
| - 1 low severity issues. |
There was a problem hiding this comment.
| - 1 medium severity issues. | |
| - 1 low severity issues. | |
| - 1 medium severity issue. | |
| - 1 low severity issue. |
| @@ -32,6 +124,6 @@ Releases will be available on, or shortly after, Friday October 13 2023. | |||
|
|
|||
| ## Contact and future updates | |||
|
|
|||
| The current Node.js security policy can be found at <https://nodejs.org/en/security/>. Please follow the process outlined in <https://github.com/nodejs/node/blob/main/SECURITY.md> if you wish to report a vulnerability in Node.js. | |||
| The current Node.js security policy can be found at <https://nodejs.org/en/security/>. Please follow the process outlined in <https://github.com/nodejs/node/blob/master/SECURITY.md> if you wish to report a vulnerability in Node.js. | |||
There was a problem hiding this comment.
| The current Node.js security policy can be found at <https://nodejs.org/en/security/>. Please follow the process outlined in <https://github.com/nodejs/node/blob/master/SECURITY.md> if you wish to report a vulnerability in Node.js. | |
| The current Node.js security policy can be found at <https://nodejs.org/en/security/>. Please follow the process outlined in <https://github.com/nodejs/node/blob/main/SECURITY.md> if you wish to report a vulnerability in Node.js. |
|
@RafaelGSS did you wait for CI? I don't see that this PR got any approval, nor the CI did pass. Please avoid direct merges when possible 🙇 |
|
@tniessen or @RafaelGSS would you be able to fast-follow with those suggested changes in a new PR? |
|
I didn't wait for CI, sorry. The release is out and we should have this post asap. I'll create a PR with the suggested changes. |
|
@MattIPv4 I'll open a separate PR. @RafaelGSS probably still has work to do due to the security releases, which take priority :) |
Right, the CI takes usually just around 50s-1 minute and half, we just want to ensure that the build passes and works as expected :) (I don't think one extra minute would hurt 🙇) |
|
Well, |
|
Working on that. |
|
Linter errors should be fixed #5994. On a side note, I think the Markdown rules in this repo differ from the Markdown rules in the core repo, but we use some of the same content for both reps. |
Are you referring to the But we can change the rules to use
|
That's the main difference that I noticed so far :) |
Apparently prettier enforces |
No description provided.