在这个版本中修复了以下CVEs:
CVE-2023-30581: mainModule.__proto__ 绕过实验性策略机制 (高)
CVE-2023-30585: 在Node.js安装程序修复过程中,通过恶意注册表键操作实现特权升级(中)
CVE-2023-30588:由于x509证书中无效的公钥信息导致的进程中断(中)
CVE-2023-30589: 通过由CR分隔的空头进行HTTP请求偷渡 (中)
CVE-2023-30590:DiffieHellman在设置私钥后不生成密钥(中)
OpenSSL安全公告
3月28日OpenSSL安全公告。
4月20日OpenSSL安全公告。
5月30日OpenSSL安全公告
c-res漏洞:
GHSA-9g78-jv2r-p7vc
GHSA-8r8p-23f3-64c2
GHSA-54xr-f67r-4pc4
GHSA-x6mf-cxr9-8q6v
关于每个漏洞的更多详细信息可在2023年6月安全发布博文中找到。
提交
[bf3e2c8928] – crypto:优雅地处理无效SPKI的证书(Tobias Nießen)nodejs-private/node-private#393
[70f9449072] – Deps: set CARES_RANDOM_FILE for c-ares (Richard Lau) #48156
[35d4efb57b] – 仓库:更新c-ares到1.19.1(RafaelGSS)#48115
[392dfedc77] – 仓库:为openssl-3.0.9-quic1更新archs文件(Node.js GitHub Bot) #48402
[46cd5fe38b] – 仓库:升级 openssl 源文件至 quictls/openssl-3.0.9-quic1 (Node.js GitHub Bot) #48402
[7e3d2d85c2] – doc,test: 澄清DH generateKeys的行为(Tobias Nießen)nodejs-private/node-private#426
[4ff6ba050a] – http: disable request smuggling via rempty headers (Paolo Insogna) nodejs-private/node-private#428
[ab269129a6] – msi:不创建AppData\Roaming\npm(Tobias Nießen)nodejs-private/node-private#408
[925e8f5619] – 策略:处理mainModule.__proto__绕过(RafaelGSS)nodejs-private/node-private#416
[d6fae8e47e] – 测试:在信号处理程序中止测试中允许SIGBUS(Michaël Zasso)#47851
Windows 32-bit Installer: https://nodejs.org/dist/v18.16.1/node-v18.16.1-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v18.16.1/node-v18.16.1-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v18.16.1/win-x86/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v18.16.1/win-x64/node.exe
macOS 64-bit Installer: https://nodejs.org/dist/v18.16.1/node-v18.16.1.pkg
macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v18.16.1/node-v18.16.1-darwin-arm64.tar.gz
macOS Intel 64-bit Binary: https://nodejs.org/dist/v18.16.1/node-v18.16.1-darwin-x64.tar.gz
Linux 64-bit Binary: https://nodejs.org/dist/v18.16.1/node-v18.16.1-linux-x64.tar.xz
Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v18.16.1/node-v18.16.1-linux-ppc64le.tar.xz
Linux s390x 64-bit Binary: https://nodejs.org/dist/v18.16.1/node-v18.16.1-linux-s390x.tar.xz
AIX 64-bit Binary: https://nodejs.org/dist/v18.16.1/node-v18.16.1-aix-ppc64.tar.gz
ARMv7 32-bit Binary: https://nodejs.org/dist/v18.16.1/node-v18.16.1-linux-armv7l.tar.xz
ARMv8 64-bit Binary: https://nodejs.org/dist/v18.16.1/node-v18.16.1-linux-arm64.tar.xz
Source Code: https://nodejs.org/dist/v18.16.1/node-v18.16.1.tar.gz
Other release files: https://nodejs.org/dist/v18.16.1/
Documentation: https://nodejs.org/docs/v18.16.1/api/