nodejs · vdeturckheim · Sep 23, 2022 · Sep 23, 2022 · Sep 23, 2022 · nschonni
@@ -7,6 +7,100 @@ layout: blog-post.hbs
 author: Vladimir de Turckheim
 ---
 
+## _(Update 23-September-2022)_ Security releases available
+
+Updates are now available for the v18.x, v16.x, and v14.x Node.js release lines for the
+following issues.
+
+## DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices) (High) (CVE-2022-32212, CVE-2018-7160)
+
+The fix for CVE-2022-32212, covered the cases for routable IP addresses, however, there exists a specific
+behavior on macOS devices when handling the `http://0.0.0.0` URL that allows an attacker-controlled DNS server to
+bypass the DNS rebinding protection by resolving hosts in the .local domain.
+
+An attacker-controlled DNS server can, resolve `<Computer Name>.local` to any arbitrary IP address, and consequently
+cause the victim's browser to load arbitrary content at `http://0.0.0.0`.
+This allows the attacker to bypass the DNS rebinding protection.
+
+Thank you, to Zeyu Zhang (@zeyu2001) for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.
+
+Impacts:
+
+* All versions of the 18.x, 16.x, and 14.x release lines.
+
+## HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (Medium) (improper fix for CVE-2022-32215)
+
+Due to an incomplete fix for CVE-2022-32215, the llhttp parser in the http module in Node.js v16.16.0 and 18.7.0 still
+does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
+
+Thank you, Liav Gutman of the JFrog CSO Team for reporting this vulnerability and thank you Paolo Insogna for fixing it.
+
+Impacts:
+
+* All versions of the 18.x, 16.x, and 14.x release lines.
+* llhttp v6.0.10 contains the fixes that were updated inside Node.js
+
+## CVE-2022-32213 bypass via obs-fold mechanic (Medium) (CVE-2022-32213)
+
+The fix for CVE-2022-32213 can be bypassed using an obs-fold, which the Node.js HTTP parser supports.
+If the Node.js HTTP module is used as a proxy, then it incorrectly parses the transfer-encoding header as indicative of
+chunked request, while folding the headers and hence forwarding `Transfer-Encoding: chunked abc` which is not a valid
+transfer-encoding header to the downstream server. As such this can lead to HTTP request smuggling as indicated by
+CVE-2022-32213.
+
+Thank you, Haxatron for reporting this vulnerability.
+
+Impacts:
+
+* All versions of the 18.x, 16.x, and 14.x release lines.
+* llhttp v6.0.10 contains the fixes that were updated inside Node.js
+
+## HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium) (CVE-2022-35256)
+
+The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated
+with CLRF. This may result in HTTP Request Smuggling.
+
+Thank you, VVX7 for reporting this vulnerability.
+
+Impacts:
+
+* All versions of the 18.x, 16.x, and 14.x release lines.
+* llhttp v6.0.10 contains the fixes that were updated inside Node.js
+
+## Node 18 reads openssl.cnf from /home/iojs/build/... upon startup on macOS (Medium) (CVE-2022-32222)
+
+In Node.js 18 and later, at startup, the process attempts to read
+`/home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf` on MacOS which ordinarily doesn't exist.
+The attack would be an attacker with access to a shared MacOS host with a self-chosen username (iojs) being able to
+affect the OpenSSF configuration of other users.
+
+Thank you, Michael Dawson for reporting (and fixing!) this vulnerability.
+
+Impacts:
+
+* All versions of the 18.x releases lines.
+
+## Weak randomness in WebCrypto keygen (High) (CVE-2022-35255)
+
+Node.js made calls to `EntropySource()` in `SecretKeyGenTraits::DoKeyGen()` in `src/crypto/crypto_keygen.cc`.
+However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail.
+
+Thank you, Ben Noordhuis for reporting (and fixing!) this vulnerability.
+
+Impacts:
+
+* All versions of the 18.x and 16.x release lines.
+
+## Downloads and release details
+
+Thanks a lot Rafael Gonzaga, Ruy Adorno, Bryan English and Paolo Insogna for the release work.
+
+* [Node.js v14.20.1 (LTS)](https://nodejs.org/en/blog/release/v14.20.1/)
+* [Node.js v16.17.1 (LTS)](https://nodejs.org/en/blog/release/v16.17.1/)
+* [Node.js v18.9.1 (Current)](https://nodejs.org/en/blog/release/v18.9.1/)
+
+---
+
 ## _(Update 22-September-2022)_ Security releases postponed
 
 Some fixes of the security releases have been recently updated and the Node.js security team still needs an extra day of work to ensure the binaries are ready to release.

@@ -136,8 +136,8 @@
   "banners": {
     "index": {
       "startDate": "2022-09-15T16:00:00.000Z",
-      "endDate": "2022-09-23T23:00:00.000Z",
-      "text": "New security releases to be made available September 23rd, 2022",
+      "endDate": "2022-09-30T23:00:00.000Z",
+      "text": "New security releases now available for 18.x, 16.x, and 14.x release lines",
       "link": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/"
     },
     "blacklivesmatter": {