Release Notes: https://nodejs.org/en/blog/release/v20.15.1
Fixes the following CVE's:
CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
CVE-2024-22018 - fs.lstat bypasses permission model (Low)
CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
CVE-2024-37372 - Permission model improperly processes UNC paths (Low)
Also these additional CVE's were fixed in the v20.12.1 and v20.12.2 releases [1][2]:
CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows
NodeJS tests are passing:
$ ./support/testing/run-tests -o ./outputs/ -k tests.package.test_nodejs -d dl
12:02:58 TestNodeJSModuleHostSrc Starting
12:02:58 TestNodeJSModuleHostSrc Building
13:17:15 TestNodeJSModuleHostSrc Building done
13:17:23 TestNodeJSModuleHostSrc Cleaning up
.13:17:23 TestNodeJSModuleHostBin Starting
13:17:23 TestNodeJSModuleHostBin Building
14:06:15 TestNodeJSModuleHostBin Building done
14:06:20 TestNodeJSModuleHostBin Cleaning up
.14:06:20 TestNodeJSBasic Starting
14:06:20 TestNodeJSBasic Building
14:55:40 TestNodeJSBasic Building done
14:55:45 TestNodeJSBasic Cleaning up
LICENSE hash changed due to changes in vendored components:
* copyright year update and adding spdx identifier [1]
[1] https://nodejs.org/en/blog/release/v20.12.1
[2] https://nodejs.org/en/blog/release/v20.12.2
[3] d5a316f5ea
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
bffb6a2339