nodejs/node
### [`v16.19.1`](https://togithub.com/nodejs/node/releases/tag/v16.19.1): 2023-02-16, Version 16.19.1 'Gallium' (LTS), @richardlau
[Compare Source](https://togithub.com/nodejs/node/compare/v16.19.0...v16.19.1)
This is a security release.
##### Notable Changes
The following CVEs are fixed in this release:
- **[CVE-2023-23918](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be bypassed via process.mainModule (High)
- **[CVE-2023-23919](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23919)**: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
- **[CVE-2023-23920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
Fixed by an update to undici:
- **[CVE-2023-23936](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936)**: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)
- See for more information.
- **[CVE-2023-24807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807)**: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)
- See for more information.
More detailed information on each of the vulnerabilities can be found in [February 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/) blog post.
This security release includes OpenSSL security updates as outlined in the recent
[OpenSSL security advisory](https://www.openssl.org/news/secadv/20230207.txt).
##### Commits
- \[[`7fef050447`](https://togithub.com/nodejs/node/commit/7fef050447)] - **build**: build ICU with ICU_NO_USER_DATA_OVERRIDE (RafaelGSS) [nodejs-private/node-private#374](https://togithub.com/nodejs-private/node-private/pull/374)
- \[[`b558e9f476`](https://togithub.com/nodejs/node/commit/b558e9f476)] - **crypto**: clear OpenSSL error on invalid ca cert (RafaelGSS) [nodejs-private/node-private#375](https://togithub.com/nodejs-private/node-private/pull/375)
- \[[`160adb7ffc`](https://togithub.com/nodejs/node/commit/160adb7ffc)] - **crypto**: clear OpenSSL error queue after calling X509\_check_private_key() (Filip Skokan) [#45495](https://togithub.com/nodejs/node/pull/45495)
- \[[`d0ece30948`](https://togithub.com/nodejs/node/commit/d0ece30948)] - **crypto**: clear OpenSSL error queue after calling X509\_verify() (Takuro Sato) [#45377](https://togithub.com/nodejs/node/pull/45377)
- \[[`2d9ae4f184`](https://togithub.com/nodejs/node/commit/2d9ae4f184)] - **deps**: update undici to v5.19.1 (Matteo Collina) [nodejs-private/node-private#388](https://togithub.com/nodejs-private/node-private/pull/388)
- \[[`d80e8312fd`](https://togithub.com/nodejs/node/commit/d80e8312fd)] - **deps**: cherry-pick Windows ARM64 fix for openssl (Richard Lau) [#46568](https://togithub.com/nodejs/node/pull/46568)
- \[[`de5c8d2c2f`](https://togithub.com/nodejs/node/commit/de5c8d2c2f)] - **deps**: update archs files for quictls/openssl-1.1.1t+quic (RafaelGSS) [#46568](https://togithub.com/nodejs/node/pull/46568)
- \[[`1a8ccfe908`](https://togithub.com/nodejs/node/commit/1a8ccfe908)] - **deps**: upgrade openssl sources to OpenSSL\_1\_1\_1t+quic (RafaelGSS) [#46568](https://togithub.com/nodejs/node/pull/46568)
- \[[`693789780b`](https://togithub.com/nodejs/node/commit/693789780b)] - **doc**: clarify release notes for Node.js 16.19.0 (Richard Lau) [#45846](https://togithub.com/nodejs/node/pull/45846)
- \[[`f95ef064f4`](https://togithub.com/nodejs/node/commit/f95ef064f4)] - **lib**: makeRequireFunction patch when experimental policy (RafaelGSS) [nodejs-private/node-private#358](https://togithub.com/nodejs-private/node-private/pull/358)
- \[[`b02d895137`](https://togithub.com/nodejs/node/commit/b02d895137)] - **policy**: makeRequireFunction on mainModule.require (RafaelGSS) [nodejs-private/node-private#358](https://togithub.com/nodejs-private/node-private/pull/358)
- \[[`d7f83c420c`](https://togithub.com/nodejs/node/commit/d7f83c420c)] - **test**: avoid left behind child processes (Richard Lau) [#46276](https://togithub.com/nodejs/node/pull/46276)
Configuration
๐ Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
๐ฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.
โป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
๐ Ignore: Close this PR and you won't be reminded about these updates again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
16.19.0-alpine3.16
->16.19.1-alpine3.16
16.19.0-alpine3.16
->16.19.1-alpine3.16
Release Notes
nodejs/node
### [`v16.19.1`](https://togithub.com/nodejs/node/releases/tag/v16.19.1): 2023-02-16, Version 16.19.1 'Gallium' (LTS), @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v16.19.0...v16.19.1) This is a security release. ##### Notable Changes The following CVEs are fixed in this release: - **[CVE-2023-23918](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be bypassed via process.mainModule (High) - **[CVE-2023-23919](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23919)**: Node.js OpenSSL error handling issues in nodejs crypto library (Medium) - **[CVE-2023-23920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low) Fixed by an update to undici: - **[CVE-2023-23936](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936)**: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium) - SeeConfiguration
๐ Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
๐ฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.
โป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
๐ Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.