The following update is according to the Security Support Role document.
Each section points to at least one item on the priority list defined by the Security Support Role document.
Two meetings to discuss the Security Support Role document happened during June/July.
- 20 reports were submitted during June 1st to July 31.
- 1 New
- 1 Resolved
- 2 Triaged
- 3 Duplicated
- 8 Non applicable
- 5 Informative
-
One security release
- CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
- CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
- CVE-2024-22018 - fs.lstat bypasses permission model (Low)
- CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
- CVE-2024-37372 - Permission model improperly processes UNC paths (Low)
-
Node.js 22.5.0
-
Node.js 22.3.0
-
Support to trailing slash on PR-URL Metadata
-
Added test CI for nodejs-private/security-release
-
Fetch PR_URL from HackerOne
-
Mention EOL in Node.js security release template
-
Add test case for CVSS on nodejs-private/security-release
-
Sort verions ASC on security release blog post
-
Add git node security --sync
-
Update Node.js security-release-process document to automated one
-
Update RafaelGSS releasers key
-
Permission Model
- How wildcard works nodejs/node#53621
- nodejs/node#53664
- Mention V8.setFlagsFromString API nodejs/node#53731
- Remove path.resolve nodejs/node#53729
-
Policy for Experimental Features discussion
- https://github.com/nodejs-private/node-private/issues/601
- Further discussion will be handled by Next-10 group
-
Drop --experimental-network-imports
-
OSSF Monitor is now part of OpenSSF