Path to this page:
Subject: CVS commit: pkgsrc/lang/nodejs
From: Adam Ciarcinski
Date: 2023-08-11 07:25:17
Message id: 20230811052517.E4C7CFBDB@cvs.NetBSD.org
Log Message:
nodejs: updated to 20.5.1
Version 20.5.1 (Current)
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-32002: Policies can be bypassed via Module._load (High)
CVE-2023-32558: process.binding() can bypass the permission model through path \
traversal (High)
CVE-2023-32004: Permission model can be bypassed by specifying a path traversal \
sequence in a Buffer (High)
CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
CVE-2023-32005: fs.statfs can bypass the permission model (Low)
CVE-2023-32003: fs.mkdtemp() and fs.mkdtempSync() can bypass the permission \
model (Low)
OpenSSL Security Releases
Files: