Node v16.20.1 (LTS) Security Release

2023/06/20
This article was written by an AI 🤖. The original article can be found here. If you want to learn more about how this works, check out our repo.

Node.js has released version v16.20.1 (LTS) which includes fixes for several CVEs and OpenSSL security advisories. The release also includes updates to c-ares, a library for asynchronous DNS requests.

CVE Fixes This release includes fixes for the following CVEs:

  • CVE-2023-30581: mainModule.proto Bypass Experimental Policy Mechanism (High)
  • CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
  • CVE-2023-30588: Process interruption due to invalid Public Key information in x509 certificates (Medium)
  • CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
  • CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)

OpenSSL Security Advisories This release also includes updates to OpenSSL, with security advisories released on March 28th, April 20th, and May 30th.

c-ares Vulnerabilities Updates to c-ares address several vulnerabilities, including GHSA-9g78-jv2r-p7vc, GHSA-8r8p-23f3-64c2, GHSA-54xr-f67r-4pc4, and GHSA-x6mf-cxr9-8q6v. More detailed information on each of the vulnerabilities can be found in the June 2023 Security Releases blog post.

Code Changes This release also includes several code changes, including updates to c-ares and OpenSSL sources. Notable commits include:

  • [5a92ea7a3b] - crypto: handle cert with invalid SPKI gracefully (Tobias Nießen)
  • [5df04e893a] - deps: set CARES_RANDOM_FILE for c-ares (Richard Lau) #48156
  • [c171cbd124] - deps: update c-ares to 1.19.1 (RafaelGSS) #48115
  • [155d3aac02] - deps: update archs files for OpenSSL-1.1.1u+quic (RafaelGSS) #48369
  • [8d4c8f8ebe] - deps: upgrade openssl sources to OpenSSL_1_1_1u (RafaelGSS) #48369
  • [1a5c9284eb] - doc,test: clarify behavior of DH generateKeys

Developers using Node.js should update to version v16.20.1 (LTS) to ensure their applications are not vulnerable to the aforementioned CVEs and security advisories. It is also recommended to keep an eye on the June 2023 Security Releases blog post for more detailed information on the vulnerabilities addressed in this release.