2024-08-24, Version 14.21.4 'Fermium' (NES)
Includes over 20 dependency security and compatibility fixes including resolution for the following vulnerabilities:
- CVE-2023-32067 (c-ares) - c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection.
- CVE-2023-31147 (c-ares) - c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available.
- CVE-2023-31130 (c-ares) - c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues
- CVE-2023-31124 (c-ares) - c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG
- CVE-2022-4904 (c-ares) - A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
- CVE-2022-35256 (llhttp) - The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
- CVE-2023-44487 (nghttp2) - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly
-
CVE-2023-35945 (nghttp2) - A memory leak vulnerability in Envoy's HTTP/2 codec, caused by improper cleanup after receiving
RST_STREAM
followed byGOAWAY
frames, can lead to denial of service through memory exhaustion; this issue was patched in Envoy versions 1.26.3, 1.25.8, 1.24.9, and 1.23.11. -
CVE-2021-39135 (npm) - A vulnerability in
@npmcli/arborist
allowed attackers to exploit symbolic links in thenode_modules
folder, potentially writing package dependencies to arbitrary locations on the filesystem; this issue was patched in version 2.8.2, included in npm v7.20.7 and above. -
CVE-2021-39134 (npm) - A vulnerability in
@npmcli/arborist
allowed attackers to overwrite arbitrary files on case-insensitive file systems by exploiting case differences in dependency names, affecting npm v7.20.6 and earlier; it was patched in version 2.8.2 included with npm v7.20.7 and above. - CVE-2024-0727 (OpenSSL) - A vulnerability in OpenSSL can cause a crash when processing maliciously formatted PKCS12 files, potentially leading to a Denial of Service (DoS) in applications handling untrusted PKCS12 files.
- CVE-2023-5678 (OpenSSL) - A vulnerability in OpenSSL's X9.42 DH key generation and checking functions can cause significant delays when processing excessively long keys or parameters, potentially leading to a Denial of Service (DoS) when dealing with untrusted sources.
- CVE-2023-4807 (OpenSSL) - A bug in OpenSSL's POLY1305 MAC implementation on Windows 64 systems with AVX512-IFMA support may corrupt application state, potentially leading to crashes or Denial of Service (DoS), though the severity is considered low.
- CVE-2023-3817 (OpenSSL) - A vulnerability in OpenSSL's DH parameter checking functions can cause significant delays when processing excessively long DH keys, potentially leading to a Denial of Service (DoS) in applications using untrusted sources.
- CVE-2023-2650 (OpenSSL) - A vulnerability in OpenSSL's OBJ_obj2txt() function can cause significant delays when processing large ASN.1 object identifiers, potentially leading to a Denial of Service (DoS) in certain applications.
-
CVE-2023-0466 (OpenSSL) - A flaw in OpenSSL's
X509_VERIFY_PARAM_add0_policy()
function fails to enable certificate policy checks as documented, allowing certificates with invalid policies to pass verification. - CVE-2023-0465 (OpenSSL) - A vulnerability in OpenSSL allows a malicious CA to bypass certificate policy checks when non-default verification options are used, potentially leading to security breaches.
- CVE-2023-0464 (OpenSSL) - A vulnerability in OpenSSL's X.509 certificate chain verification could enable a DoS attack through excessive resource usage when policy constraints are processed.
- GHSA-5689-v88g-g6rv (llhttp) - llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding
- GHSA-q5vx-44v4-gch4 (llhttp) - llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields.
-
GHSA-cggh-pq45-6h9x (llhttp) - llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding.
Potential breaking changes
- Update npm to 7.24.0
- Update llhttp to 9.2.0