---
- branch: MAIN
  date: Wed Jun 21 15:15:43 UTC 2023
  files:
  - new: '1.16'
    old: '1.15'
    path: pkgsrc/lang/nodejs16/Makefile
    pathrev: pkgsrc/lang/nodejs16/Makefile@1.16
    type: modified
  - new: '1.12'
    old: '1.11'
    path: pkgsrc/lang/nodejs16/distinfo
    pathrev: pkgsrc/lang/nodejs16/distinfo@1.12
    type: modified
  id: 20230621T151543Z.e332d0c2aefe4335e84a06c97a11d476e9e6fa41
  log: |
    nodejs16: updated to 16.20.1

    Version 16.20.1 'Gallium' (LTS)

    This is a security release.

    Notable Changes

    The following CVEs are fixed in this release:

    * [CVE-2023-30581](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581): `mainModule.__proto__` Bypass Experimental Policy Mechanism (High)
    * [CVE-2023-30585](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585): Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
    * [CVE-2023-30588](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588): Process interuption due to invalid Public Key information in x509 certificates (Medium)
    * [CVE-2023-30589](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30589): HTTP Request Smuggling via Empty headers separated by CR (Medium)
    * [CVE-2023-30590](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590): DiffieHellman does not generate keys after setting a private key (Medium)
    * OpenSSL Security Releases
      * [OpenSSL security advisory 28th March](https://www.openssl.org/news/secadv/20230328.txt).
      * [OpenSSL security advisory 20th April](https://www.openssl.org/news/secadv/20230420.txt).
      * [OpenSSL security advisory 30th May](https://www.openssl.org/news/secadv/20230530.txt)
    * c-ares vulnerabilities:
      * [GHSA-9g78-jv2r-p7vc](https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc)
      * [GHSA-8r8p-23f3-64c2](https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2)
      * [GHSA-54xr-f67r-4pc4](https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4)
      * [GHSA-x6mf-cxr9-8q6v](https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v)
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/lang/nodejs16'
  unixtime: '1687360543'
  user: adam