Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nodejs/node
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v18.12.0
Choose a base ref
...
head repository: nodejs/node
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v18.12.1
Choose a head ref
  • 5 commits
  • 612 files changed
  • 4 contributors

Commits on Oct 25, 2022

  1. Working on v18.12.0 

    PR-URL: #45100
    @ruyadorno
    ruyadorno committed Oct 25, 2022
    Configuration menu
    Copy the full SHA
    0774b64 View commit details
    Browse the repository at this point in the history

Commits on Nov 2, 2022

  1. inspector: harden IP address validation again 

    Use inet_pton() to parse IP addresses, which restricts IP addresses
to a small number of well-defined formats. In particular, octal and
hexadecimal number formats are not allowed, and neither are leading
zeros. Also explicitly reject 0.0.0.0/8 and ::/128 as non-routable.

Refs: https://hackerone.com/reports/1710652
CVE-ID: CVE-2022-43548
PR-URL: nodejs-private/node-private#354
Reviewed-by: Michael Dawson <midawson@redhat.com>
Reviewed-by: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-by: Rich Trott <rtrott@gmail.com>
    @tniessen @juanarbol
    tniessen authored and juanarbol committed Nov 2, 2022
    Configuration menu
    Copy the full SHA
    165342b View commit details
    Browse the repository at this point in the history

Commits on Nov 3, 2022

  1. deps: upgrade openssl sources to quictls/openssl-3.0.7+quic 

    This updates all sources in deps/openssl/openssl by:
    $ git clone git@github.com:quictls/openssl.git
    $ cd openssl
    $ git checkout openssl-3.0.7+quic
    $ cd ../node/deps/openssl
    $ rm -rf openssl
    $ cp -R ../../../openssl openssl
    $ rm -rf openssl/.git* openssl/.travis*
    $ git add --all openssl
    $ git commit openssl

CVE-ID: CVE-2022-3602, CVE-2022-3786
PR-URL: #45286
    @RafaelGSS @juanarbol
    RafaelGSS authored and juanarbol committed Nov 3, 2022
    Configuration menu
    Copy the full SHA
    8021812 View commit details
    Browse the repository at this point in the history

  2. deps: update archs files for quictls/openssl-3.0.7+quic 

    After an OpenSSL source update, all the config files need to be
regenerated and committed by:
    $ make -C deps/openssl/config clean
    $ make -C deps/openssl/config
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl
    $ git commit

CVE-ID: CVE-2022-3602, CVE-2022-3786
PR-URL: #45286
    @RafaelGSS @juanarbol
    RafaelGSS authored and juanarbol committed Nov 3, 2022
    Configuration menu
    Copy the full SHA
    39f8a67 View commit details
    Browse the repository at this point in the history

Commits on Nov 4, 2022

  1. 2022-11-04, Version 18.12.1 'Hydrogen' (LTS) 

    This is a security release.

Notable changes:

The following CVEs are fixed in this release:

- CVE-2022-3602: A buffer overrun can be triggered in X.509
                 certificate verification (High)
- CVE-2022-3786: A buffer overrun can be triggered in X.509
                 certificate verification (High)
- CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP
                  address (Medium)

PR-URL: nodejs-private/node-private#365
    @juanarbol @RafaelGSS
    juanarbol authored and RafaelGSS committed Nov 4, 2022
    Configuration menu
    Copy the full SHA
    9ca57fa View commit details
    Browse the repository at this point in the history
Loading