Closed renovate[bot] closed 1 year ago
This PR contains the following updates:
18.16.0
18.16.1
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
18.16.0->18.16.1Release Notes
nodejs/node
### [`v18.16.1`](https://togithub.com/nodejs/node/releases/tag/v18.16.1): 2023-06-20, Version 18.16.1 'Hydrogen' (LTS), @RafaelGSS [Compare Source](https://togithub.com/nodejs/node/compare/v18.16.0...v18.16.1) This is a security release. ##### Notable Changes The following CVEs are fixed in this release: - [CVE-2023-30581](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581): `mainModule.__proto__` Bypass Experimental Policy Mechanism (High) - [CVE-2023-30585](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585): Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) - [CVE-2023-30588](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588): Process interuption due to invalid Public Key information in x509 certificates (Medium) - [CVE-2023-30589](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30589): HTTP Request Smuggling via Empty headers separated by CR (Medium) - [CVE-2023-30590](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590): DiffieHellman does not generate keys after setting a private key (Medium) - OpenSSL Security Releases - [OpenSSL security advisory 28th March](https://www.openssl.org/news/secadv/20230328.txt). - [OpenSSL security advisory 20th April](https://www.openssl.org/news/secadv/20230420.txt). - [OpenSSL security advisory 30th May](https://www.openssl.org/news/secadv/20230530.txt) - c-ares vulnerabilities: - [GHSA-9g78-jv2r-p7vc](https://togithub.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc) - [GHSA-8r8p-23f3-64c2](https://togithub.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2) - [GHSA-54xr-f67r-4pc4](https://togithub.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4) - [GHSA-x6mf-cxr9-8q6v](https://togithub.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v) More detailed information on each of the vulnerabilities can be found in [June 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/) blog post. ##### Commits - \[[`bf3e2c8928`](https://togithub.com/nodejs/node/commit/bf3e2c8928)] - **crypto**: handle cert with invalid SPKI gracefully (Tobias Nießen) [nodejs-private/node-private#393](https://togithub.com/nodejs-private/node-private/pull/393) - \[[`70f9449072`](https://togithub.com/nodejs/node/commit/70f9449072)] - **deps**: set `CARES_RANDOM_FILE` for c-ares (Richard Lau) [#48156](https://togithub.com/nodejs/node/pull/48156) - \[[`35d4efb57b`](https://togithub.com/nodejs/node/commit/35d4efb57b)] - **deps**: update c-ares to 1.19.1 (RafaelGSS) [#48115](https://togithub.com/nodejs/node/pull/48115) - \[[`392dfedc77`](https://togithub.com/nodejs/node/commit/392dfedc77)] - **deps**: update archs files for openssl-3.0.9-quic1 (Node.js GitHub Bot) [#48402](https://togithub.com/nodejs/node/pull/48402) - \[[`46cd5fe38b`](https://togithub.com/nodejs/node/commit/46cd5fe38b)] - **deps**: upgrade openssl sources to quictls/openssl-3.0.9-quic1 (Node.js GitHub Bot) [#48402](https://togithub.com/nodejs/node/pull/48402) - \[[`7e3d2d85c2`](https://togithub.com/nodejs/node/commit/7e3d2d85c2)] - **doc,test**: clarify behavior of DH generateKeys (Tobias Nießen) [nodejs-private/node-private#426](https://togithub.com/nodejs-private/node-private/pull/426) - \[[`4ff6ba050a`](https://togithub.com/nodejs/node/commit/4ff6ba050a)] - **http**: disable request smuggling via rempty headers (Paolo Insogna) [nodejs-private/node-private#428](https://togithub.com/nodejs-private/node-private/pull/428) - \[[`ab269129a6`](https://togithub.com/nodejs/node/commit/ab269129a6)] - **msi**: do not create AppData\Roaming\npm (Tobias Nießen) [nodejs-private/node-private#408](https://togithub.com/nodejs-private/node-private/pull/408) - \[[`925e8f5619`](https://togithub.com/nodejs/node/commit/925e8f5619)] - **policy**: handle mainModule.\__proto\_\_ bypass (RafaelGSS) [nodejs-private/node-private#416](https://togithub.com/nodejs-private/node-private/pull/416) - \[[`d6fae8e47e`](https://togithub.com/nodejs/node/commit/d6fae8e47e)] - **test**: allow SIGBUS in signal-handler abort test (Michaël Zasso) [#47851](https://togithub.com/nodejs/node/pull/47851)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.