Closed renovate[bot] closed 4 months ago
renovate[bot]
commented
4 months ago This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.
renovate[bot]
commented
4 months ago Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠ Warning: custom changes will be lost.
This PR contains the following updates:
2.6.6->2.7.121.6.1->21.6.2^10.5.10->^10.5.11^5.21.1->^5.22.2Release Notes
nodejs/node (node)
### [`v21.6.2`](https://togithub.com/nodejs/node/releases/tag/v21.6.2): 2024-02-14, Version 21.6.2 (Current), @RafaelGSS [Compare Source](https://togithub.com/nodejs/node/compare/v21.6.1...v21.6.2) ##### Notable changes This is a security release. ##### Notable changes - CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High) - CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High) - CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High) - CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High) - CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against [PKCS#1](https://togithub.com/PKCS/node/issues/1) v1.5 padding) - (Medium) - CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium) - CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium) - CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium) - undici version 5.28.3 - libuv version 1.48.0 - OpenSSL version 3.0.13+quic1 ##### Commits - \[[`8344719369`](https://togithub.com/nodejs/node/commit/8344719369)] - **crypto**: disable [PKCS#1](https://togithub.com/PKCS/node/issues/1) padding for privateDecrypt (Michael Dawson) [nodejs-private/node-private#525](https://togithub.com/nodejs-private/node-private/pull/525) - \[[`d093600ac4`](https://togithub.com/nodejs/node/commit/d093600ac4)] - **deps**: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) [#51614](https://togithub.com/nodejs/node/pull/51614) - \[[`6cd930e5e8`](https://togithub.com/nodejs/node/commit/6cd930e5e8)] - **deps**: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) [#51614](https://togithub.com/nodejs/node/pull/51614) - \[[`9590c15d3d`](https://togithub.com/nodejs/node/commit/9590c15d3d)] - **deps**: upgrade libuv to 1.48.0 (Santiago Gimeno) [#51698](https://togithub.com/nodejs/node/pull/51698) - \[[`666096298c`](https://togithub.com/nodejs/node/commit/666096298c)] - **deps**: disable io_uring support in libuv by default (Tobias Nießen) [nodejs-private/node-private#528](https://togithub.com/nodejs-private/node-private/pull/528) - \[[`a4edd22e30`](https://togithub.com/nodejs/node/commit/a4edd22e30)] - **fs**: protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) [nodejs-private/node-private#497](https://togithub.com/nodejs-private/node-private/pull/497) - \[[`6155a1ffaf`](https://togithub.com/nodejs/node/commit/6155a1ffaf)] - **http**: add maximum chunk extension size (Paolo Insogna) [nodejs-private/node-private#518](https://togithub.com/nodejs-private/node-private/pull/518) - \[[`777509495e`](https://togithub.com/nodejs/node/commit/777509495e)] - **lib**: use cache fs internals against path traversal (RafaelGSS) [nodejs-private/node-private#516](https://togithub.com/nodejs-private/node-private/pull/516) - \[[`9d2ac2b3fc`](https://togithub.com/nodejs/node/commit/9d2ac2b3fc)] - **lib**: update undici to v5.28.3 (Matteo Collina) [nodejs-private/node-private#538](https://togithub.com/nodejs-private/node-private/pull/538) - \[[`208b3940c7`](https://togithub.com/nodejs/node/commit/208b3940c7)] - **src**: fix HasOnly(capability) in node::credentials (Tobias Nießen) [nodejs-private/node-private#505](https://togithub.com/nodejs-private/node-private/pull/505) - \[[`fc2454f29c`](https://togithub.com/nodejs/node/commit/fc2454f29c)] - **src,deps**: disable setuid() etc if io_uring enabled (Tobias Nießen) [nodejs-private/node-private#528](https://togithub.com/nodejs-private/node-private/pull/528) - \[[`ef3eea20be`](https://togithub.com/nodejs/node/commit/ef3eea20be)] - **test,doc**: clarify wildcard usage (RafaelGSS) [nodejs-private/node-private#517](https://togithub.com/nodejs-private/node-private/pull/517) - \[[`8547196964`](https://togithub.com/nodejs/node/commit/8547196964)] - **zlib**: pause stream if outgoing buffer is full (Matteo Collina) [nodejs-private/node-private#540](https://togithub.com/nodejs-private/node-private/pull/540)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
Read more about the use of Renovate Bot within
ocramius/*projects.