Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 26 Jun 2024 02:45:09 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Rafael Gonzaga <work@...aelgss.dev>
Subject: Re: Fwd: Node.js security updates for all active release lines, July 2024

On Tue, Jun 25, 2024 at 10:54:21AM -0700, Rafael Gonzaga wrote:
> ---------- Mensagem encaminhada ---------
> De: Rafael Gonzaga <work@...aelgss.dev>
> Data: ter??a-feira, 25 de junho de 2024 ??s 14:53:37 UTC-3
> Assunto: Node.js security updates for all active release lines, July 2024
> Para: nodejs-sec <nodejs-sec@...glegroups.com>
> 
> The Node.js project will release new versions of all supported release
> lines on or shortly after July 2nd, 2024
> For more information see:
> https://nodejs.org/en/blog/vulnerability/july-2024-security-releases

Thanks.  I include below the Markdown source of the full blog post
above.  For further occasions or if someone else wants to help post
these in here, to obtain it on the blog post click "Edit this page",
which gets to GitHub, then click "Raw".

Alexander

---
date: 2024-07-02T03:00:00.000Z
category: vulnerability
title: Tuesday, July 2, 2024 Security Releases
slug: july-2024-security-releases
layout: blog-post
author: The Node.js Project
---

# Summary

The Node.js project will release new versions of the 22.x, 20.x, 18.x
releases lines on or shortly after, Tuesday, July 2, 2024 in order to address:

- 1 high severity issues.
- 2 medium severity issues.
- 3 low severity issues.

Node.js fetch will be upgraded to undici v6.19.2 on Node.js 18.x and Node.js 20.x.
Node.js 22.x already includes undici v6.19.2.

## Impact

The 22.x release line of Node.js is vulnerable to 1 high severity issues, 2 medium severity issues, 3 low severity issues.
The 20.x release line of Node.js is vulnerable to 1 high severity issues, 2 medium severity issues, 3 low severity issues.
The 18.x release line of Node.js is vulnerable to 1 high severity issues, 2 medium severity issues.

It's important to note that End-of-Life versions are always affected when a security release occurs.
To ensure your system's security, please use an up-to-date version as outlined in our
[Release Schedule](https://github.com/nodejs/release#release-schedule).

## Release timing

Releases will be available on, or shortly after, Tuesday, July 2, 2024.

## Contact and future updates

The current Node.js security policy can be found at https://nodejs.org/en/security/.
Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.