I don't recall the exact criteria, but V8 doesn't usually back merge fixes that far back. Version 11.3 is over a year old and version 10.2 is over 2 years old by now. On Thursday, August 8, 2024 at 9:52:37 PM UTC+2 [email protected] wrote:
> Good morning/afternoon. > > There are 3 high V8 CVEs that have been recently fixed. I'd like to know > if they will be backported to V8 versions 10.2.154.x (used by Node 18.20.4) > and 11.3.244.x (Used by Node 20.16.0) > > See > > - > https://github.com/nodejs/node/blob/v18.20.4/deps/v8/include/v8-version.h > - > https://github.com/nodejs/node/blob/v20.16.0/deps/v8/include/v8-version.h > > The CVEs are: > *https://nvd.nist.gov/vuln/detail/CVE-2024-4761 > <https://nvd.nist.gov/vuln/detail/CVE-2024-4761>. (Score 8.8)* > > - Out of bounds write. > - Fixed in version 12.6.213 > <https://github.com/v8/v8/releases/tag/12.6.213> > - Fixed by this commit > <https://github.com/v8/v8/commit/f320600cd1f48ba6bb57c0395823fe0c5e5ec52e> > > > *https://nvd.nist.gov/vuln/detail/CVE-2024-4947 > <https://nvd.nist.gov/vuln/detail/CVE-2024-4947>* > > - Type Confusion. > - Fixed in version 12.0.267.27 > <https://github.com/v8/v8/releases/tag/12.0.267.27> > - Fixed by this commit <https://github.com/v8/v8/commit/2944ee9846e> > > *https://nvd.nist.gov/vuln/detail/CVE-2024-5274 > <https://nvd.nist.gov/vuln/detail/CVE-2024-5274>* > > - Type Confusion. > - Fixed in version 12.4.254.20 > <https://github.com/v8/v8/releases/tag/12.4.254.20> > - Fixed by this commit <https://github.com/v8/v8/commit/6e5e1053fa6> > > > These are high CVEs identified by CISA as being KEV. > > -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/62716e8e-bbb7-43e8-83e1-66ceb8d0e852n%40googlegroups.com.
