This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Microsoft Azure Private 5G Core. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.9. The following CVEs are assigned: CVE-2024-20685.
Category Archives: Advisories
ZDI-24-361: Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability
This vulnerability allows remote attackers to bypass the SmartScreen security feature to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-29988.
yyjson-0.9.0-1.fc38
FEDORA-2024-4691d60717
Packages in this update:
yyjson-0.9.0-1.fc38
Update description:
Update to 0.9.0; fix rhbz#2274045 and rhbz#2266791; Security fix for CVE-2024-25713
yyjson-0.9.0-1.fc39
FEDORA-2024-ef2e551fab
Packages in this update:
yyjson-0.9.0-1.fc39
Update description:
Update to 0.9.0; fix rhbz#2274045 and rhbz#2266791; Security fix for CVE-2024-25713
yyjson-0.9.0-1.fc40
FEDORA-2024-8c48a81cb9
Packages in this update:
yyjson-0.9.0-1.fc40
Update description:
Update to 0.9.0; fix rhbz#2274045 and rhbz#2266791; Security fix for CVE-2024-25713
yyjson-0.9.0-1.fc41
FEDORA-2024-2a0f7e9e97
Packages in this update:
yyjson-0.9.0-1.fc41
Update description:
Automatic update for yyjson-0.9.0-1.fc41.
Changelog
* Tue Apr 9 2024 topazus <topazus@outlook.com> – 0.9.0-1
– Update to 0.9.0; fix rhbz#2274045 and rhbz#2266791
python-django-4.2.11-1.fc40
FEDORA-2024-5c7fb64c74
Packages in this update:
python-django-4.2.11-1.fc40
Update description:
Security fix for CVE-2024-24680 and CVE-2024-27351
python-django-4.2.11-1.fc39
FEDORA-2024-2ec03ca8cb
Packages in this update:
python-django-4.2.11-1.fc39
Update description:
Security fix for CVE-2024-24680 and CVE-2024-27351
python-django-4.2.11-1.fc41
FEDORA-2024-c5c5671edb
Packages in this update:
python-django-4.2.11-1.fc41
Update description:
Automatic update for python-django-4.2.11-1.fc41.
Changelog
* Mon Apr 8 2024 Michel Lind <salimma@fedoraproject.org> – 4.2.11-1
– Update to 4.2.11
– Resolves CVE-2024-24680 (rhbz#2263505)
– Resolves CVE-2024-27351 (rhbz#2267654)
nodejs20-20.12.1-3.fc40
FEDORA-2024-25b66392e2
Packages in this update:
nodejs20-20.12.1-3.fc40
Update description:
2024-04-03, Version 20.12.1 ‘Iron’ (LTS), @RafaelGSS
This is a security release
Notable Changes
CVE-2024-27983 – Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
CVE-2024-27982 – HTTP Request Smuggling via Content Length Obfuscation – (Medium)
llhttp version 9.2.1
undici version 5.28.4
2024-03-26, Version 20.12.0 ‘Iron’ (LTS), @richardlau
Notable Changes
crypto: implement crypto.hash()
This patch introduces a helper crypto.hash() that computes
a digest from the input at one shot. This can be 1.2-2x faster
than the object-based createHash() for smaller inputs (<= 5MB)
that are readily available (not streamed) and incur less memory
overhead since no intermediate objects will be created.
const crypto = require(‘node:crypto’);
// Hashing a string and return the result as a hex-encoded string.
const string = ‘Node.js’;
// 10b3493287f831e81a438811a1ffba01f8cec4b7
console.log(crypto.hash(‘sha1’, string));
Contributed by Joyee Cheung in #51044.
Loading and parsing environment variables
process.loadEnvFile(path):
Use this function to load the .env file. If no path is specified, it automatically loads the .env file in the current directory. Example: process.loadEnvFile().
Load a specific .env file by specifying its path. Example: process.loadEnvFile(‘./development.env’).
util.parseEnv(content):
Use this function to parse an existing string containing environment variable assignments.
Example usage: require(‘node:util’).parseEnv(‘HELLO=world’).
Contributed by Yagiz Nizipli in #51476.
New connection attempt events
Three new events were added in the net.createConnection flow:
connectionAttempt: Emitted when a new connection attempt is established. In case of Happy Eyeballs, this might emitted multiple times.
connectionAttemptFailed: Emitted when a connection attempt failed. In case of Happy Eyeballs, this might emitted multiple times.
connectionAttemptTimeout: Emitted when a connection attempt timed out. In case of Happy Eyeballs, this will not be emitted for the last attempt. This is not emitted at all if Happy Eyeballs is not used.
Additionally, a previous bug has been fixed where a new connection attempt could have been started after a previous one failed and after the connection was destroyed by the user.
This led to a failed assertion.
Contributed by Paolo Insogna in #51045.
Permission Model changes
Node.js 20.12.0 comes with several fixes for the experimental permission model and two new semver-minor commits.
We’re adding a new flag –allow-addons to enable addon usage when using the Permission Model.
$ node –experimental-permission –allow-addons
Contributed by Rafael Gonzaga in #51183
And relative paths are now supported through the –allow-fs-* flags.
Therefore, with this release one can use:
$ node –experimental-permission –allow-fs-read=./index.js
To give only read access to the entrypoint of the application.
Contributed by Rafael Gonzaga and Carlos Espa in #50758.
sea: support embedding assets
Users can now include assets by adding a key-path dictionary
to the configuration as the assets field. At build time, Node.js
would read the assets from the specified paths and bundle them into
the preparation blob. In the generated executable, users can retrieve
the assets using the sea.getAsset() and sea.getAssetAsBlob() API.
{
“main”: “/path/to/bundled/script.js”,
“output”: “/path/to/write/the/generated/blob.blob”,
“assets”: {
“a.jpg”: “/path/to/a.jpg”,
“b.txt”: “/path/to/b.txt”
}
}
The single-executable application can access the assets as follows:
const { getAsset } = require(‘node:sea’);
// Returns a copy of the data in an ArrayBuffer
const image = getAsset(‘a.jpg’);
// Returns a string decoded from the asset as UTF8.
const text = getAsset(‘b.txt’, ‘utf8’);
// Returns a Blob containing the asset without copying.
const blob = getAssetAsBlob(‘a.jpg’);
Contributed by Joyee Cheung in #50960.
Support configurable snapshot through –build-snapshot-config flag
We are adding a new flag –build-snapshot-config to configure snapshots through a custom JSON configuration file.
$ node –build-snapshot-config=/path/to/myconfig.json
When using this flag, additional script files provided on the command line will
not be executed and instead be interpreted as regular command line arguments.
These changes were contributed by Joyee Cheung and Anna Henningsen in #50453
Text Styling
util.styleText(format, text): This function returns a formatted text considering the format passed.
A new API has been created to format text based on util.inspect.colors, enabling you to style text in different colors (such as red, blue, …) and emphasis (italic, bold, …).
const { styleText } = require(‘node:util’);
const errorMessage = styleText(‘red’, ‘Error! Error!’);
console.log(errorMessage);
Contributed by Rafael Gonzaga in #51850.
vm: support using the default loader to handle dynamic import()
This patch adds support for using vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER as the
importModuleDynamically option in all vm APIs that take this option except vm.SourceTextModule. This allows users to have a shortcut to support dynamic import() in the compiled code without missing the compilation cache if they don’t need customization of the loading process. We emit an experimental warning when the import() is actually handled by the default loader through this option instead of requiring –experimental-vm-modules.
const { Script, constants } = require(‘node:vm’);
const { resolve } = require(‘node:path’);
const { writeFileSync } = require(‘node:fs’);
// Write test.js and test.txt to the directory where the current script
// being run is located.
writeFileSync(resolve(__dirname, ‘test.mjs’),
‘export const filename = “./test.json”;’);
writeFileSync(resolve(__dirname, ‘test.json’),
‘{“hello”: “world”}’);
// Compile a script that loads test.mjs and then test.json
// as if the script is placed in the same directory.
const script = new Script(
`(async function() {
const { filename } = await import(‘./test.mjs’);
return import(filename, { with: { type: ‘json’ } })
})();`,
{
filename: resolve(__dirname, ‘test-with-default.js’),
importModuleDynamically: constants.USE_MAIN_CONTEXT_DEFAULT_LOADER,
});
// { default: { hello: ‘world’ } }
script.runInThisContext().then(console.log);
Contributed by Joyee Cheung in #51244.
Root certificates updated to NSS 3.98
Certificates added:
Telekom Security TLS ECC Root 2020
Telekom Security TLS RSA Root 2023
Certificates removed:
Security Communication Root CA
Updated dependencies
acorn updated to 8.11.3.
ada updated to 2.7.6.
base64 updated to 0.5.2.
brotli updated to 1.1.0.
c-ares updated to 1.27.0.
corepack updated to 0.25.2.
ICU updated to 74.2. Includes CLDR 44.1 and Unicode 15.1.
nghttp2 updated to 1.60.0.
npm updated to 10.5.0. Fixes a regression in signals not being passed onto child processes.
simdutf8 updated to 4.0.8.
Timezone updated to 2024a.
zlib updated to 1.3.0.1-motley-40e35a7.
Include Provides: nodejs20-* for non-versioned packages.