-
Notifications
You must be signed in to change notification settings - Fork 6.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
blog: add pos release announcement #5993
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
* \[[`a4cb7fc7c0`](https://github.com/nodejs/node/commit/a4cb7fc7c0)] - **policy**: use tamper-proof integrity check function (Tobias Nießen) [nodejs-private/node-private#462](https://github.com/nodejs-private/node-private/pull/462) | ||
|
||
Windows 32-bit Installer: https://nodejs.org/dist/v20.8.1/node-v20.8.1-x86.msi \ | ||
Windows 64-bit Installer: *Coming soon* \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it expected? @richardlau
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. 😕
Windows 64-bit Installer: *Coming soon* \ | |
Windows 64-bit Installer: https://nodejs.org/dist/v20.8.1/node-v20.8.1-x64.msi \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: typo pos
in commit message
|
||
* [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High) | ||
* [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High) | ||
* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) | |
* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) |
* [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High) | ||
* [CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332): Path traversal through path stored in Uint8Array (High) | ||
* [CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331): Permission model improperly protects against path traversal (High) | ||
* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) | |
* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) |
|
||
## nghttp2 - HTTP/2 Rapid Reset (High) - (CVE-2023-44487) | ||
|
||
Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service. | |
Rapidly creating and cancelling streams (`HEADERS` frame immediately followed by `RST_STREAM`) without bound causes denial of service. |
|
||
Impacts: | ||
|
||
* This vulnerability affects all users of HTTP2 servers in all active |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* This vulnerability affects all users of HTTP2 servers in all active | |
* This vulnerability affects all users of HTTP/2 servers in all active |
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- 1 medium severity issues. | ||
- 1 low severity issues. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- 1 medium severity issues. | |
- 1 low severity issues. | |
- 1 medium severity issue. | |
- 1 low severity issue. |
@@ -32,6 +124,6 @@ Releases will be available on, or shortly after, Friday October 13 2023. | |||
|
|||
## Contact and future updates | |||
|
|||
The current Node.js security policy can be found at <https://nodejs.org/en/security/>. Please follow the process outlined in <https://github.com/nodejs/node/blob/main/SECURITY.md> if you wish to report a vulnerability in Node.js. | |||
The current Node.js security policy can be found at <https://nodejs.org/en/security/>. Please follow the process outlined in <https://github.com/nodejs/node/blob/master/SECURITY.md> if you wish to report a vulnerability in Node.js. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current Node.js security policy can be found at <https://nodejs.org/en/security/>. Please follow the process outlined in <https://github.com/nodejs/node/blob/master/SECURITY.md> if you wish to report a vulnerability in Node.js. | |
The current Node.js security policy can be found at <https://nodejs.org/en/security/>. Please follow the process outlined in <https://github.com/nodejs/node/blob/main/SECURITY.md> if you wish to report a vulnerability in Node.js. |
@RafaelGSS did you wait for CI? I don't see that this PR got any approval, nor the CI did pass. Please avoid direct merges when possible 🙇 |
@tniessen or @RafaelGSS would you be able to fast-follow with those suggested changes in a new PR? |
I didn't wait for CI, sorry. The release is out and we should have this post asap. I'll create a PR with the suggested changes. |
@MattIPv4 I'll open a separate PR. @RafaelGSS probably still has work to do due to the security releases, which take priority :) |
Right, the CI takes usually just around 50s-1 minute and half, we just want to ensure that the build passes and works as expected :) (I don't think one extra minute would hurt 🙇) |
Well, |
Working on that. |
Linter errors should be fixed #5994. On a side note, I think the Markdown rules in this repo differ from the Markdown rules in the core repo, but we use some of the same content for both reps. |
Are you referring to the But we can change the rules to use
|
That's the main difference that I noticed so far :) |
Apparently prettier enforces |
No description provided.